CVE-2026-21876: Critical Multipart Charset Bypass Fixed in CRS 4.22.0 and 3.3.8
We are disclosing a security bypass vulnerability in OWASP CRS that affects rule 922110, which validates charset parameters in multipart/form-data requests. This vulnerability, assigned CVE-2026-21876, has existed since the rule was introduced and affected all CRS supported versions. Published January 6, 2026 Reported by some0ne (https://github.com/daytriftnewgen) Fixed by Ervin Hegedüs (airween) and Felipe Zipitría (fzipi) Severity CRITICAL (CVSS 9.3) Internal ID 9AJ-260102 The vulnerability allows attackers to bypass charset validation by exploiting how ModSecurity’s chained rules process collections. We have developed and tested a fix that is now available in CRS version 4.22.0 and CRS version 3.3.8.