OWASP coreruleset up to 3.3.7/4.21.x Multipart Request incomplete filtering

Summaryinfo

A vulnerability classified as critical has been found in OWASP coreruleset up to 3.3.7/4.21.x. The affected element is an unknown function of the component Multipart Request Handler. The manipulation leads to incomplete filtering. This vulnerability is referenced as CVE-2026-21876. Remote exploitation of the attack is possible. Furthermore, an exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in OWASP coreruleset up to 3.3.7/4.21.x (Firewall Software) and classified as critical. This issue affects some unknown processing of the component Multipart Request Handler. The manipulation with an unknown input leads to a incomplete filtering vulnerability. Using CWE to declare the problem leads to CWE-794. The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-21876 since 01/05/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are unknown but a public exploit is available.

The exploit is available at exploit-db.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 282487 (Linux Distros Unpatched Vulnerability : CVE-2026-21876), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.3.8 or 4.22.0 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Exploit-DB (52558), Tenable (282487) and CERT Bund (WID-SEC-2026-1185). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Kemp LoadMaster
• Progress Software MOVEit

Productinfo

Type

• Firewall Software

Vendor

• OWASP

Name

• coreruleset

Version

• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4
• 3.3.5
• 3.3.6
• 3.3.7
• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13
• 4.14
• 4.15
• 4.16
• 4.17
• 4.18
• 4.19
• 4.20
• 4.21

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion