Critical ModSecurity Flaws Let Attackers Bypass Firewall Rules
Key Takeaways Two critical vulnerabilities, CVE-2026-52761 and CVE-2026-52747, have been discovered in OWASP ModSecurity, a popular open-source web application firewall (WAF). These flaws enable...
Key Takeaways
- Two critical vulnerabilities, CVE-2026-52761 and CVE-2026-52747, have been discovered in OWASP ModSecurity, a popular open-source web application firewall (WAF).
- These flaws enable attackers to bypass ModSecurity’s security rules by manipulating input processing.
- All ModSecurity versions up to 3.0.15 are affected.
- A fix is available in ModSecurity version 3.0.16, and immediate upgrade is strongly recommended.
OWASP ModSecurity, a widely deployed open-source web application firewall (WAF), has disclosed two significant vulnerabilities that could allow attackers to circumvent its protective measures. These flaws, identified as CVE-2026-52761 and CVE-2026-52747, impact ModSecurity versions through 3.0.15, and have since been addressed in the recently released version 3.0.16.
Table Of Content
CVE-2026-52761: 32-bit Truncation Flaw
The first of these issues, The first issue, CVE-2026-52761, is a moderate-severity bug affecting the utf8toUnicode transformation, specifically on i386 (32-bit) systems. This transformation is a cornerstone of many ModSecurity rules, designed to normalize user input before it undergoes security inspection.
The vulnerability arises from an incorrect application of the sizeof() operator on a pointer type within the transformation’s code. Instead of accurately determining the actual buffer length for processing, the code mistakenly calculates the size of the pointer itself. On 32-bit systems, this results in only 4 bytes being processed, leading to truncated or incorrect output.
Curiously, this bug often goes unnoticed on 64-bit systems because the pointer size (8 bytes) coincidentally matches the intended buffer size. However, the inconsistency on i386 architectures creates a critical blind spot, allowing attackers to craft malformed payloads that bypass security checks. Any ModSecurity rule relying on this particular transformation may fail to properly inspect malicious input, thereby neutralizing the WAF’s defense.
Analysis by researchers indicates that the root cause lies in improper buffer handling within several sections of the transformation code. Until patches are fully implemented, organizations are advised to avoid deploying ModSecurity on i386 systems.
CVE-2026-52747: Multipart Parser Bypass
The second vulnerability, CVE-2026-52747, carries a higher severity rating due to its direct impact on the integrity of request inspection. This flaw resides within the libmodsecurity multipart/form-data parser.
The issue manifests when the parser processes non-file form fields containing embedded line breaks, such as carriage-return (r) and line-feed (n) sequences. Instead of preserving these critical characters, the parser silently strips them before the data is passed to ModSecurity rules. For example, an input like “ArnB” or “AnB” is transformed into “AB” for ModSecurity’s inspection.
Crucially, backend applications typically retain the original formatting, creating a dangerous mismatch between the data the WAF inspects and the data the application receives. This discrepancy enables attackers to conceal malicious input that relies on line breaks, such as specific injection payloads or exploits targeting parser behavior.
Further investigation reveals that this vulnerability stems from a logic error where previously buffered data is overwritten rather than correctly appended during multipart parsing. Compounding the problem, ModSecurity’s built-in strict validation mechanisms fail to detect this anomaly; key indicators like MULTIPART_STRICT_ERROR remain unset, allowing the malicious input to pass through undetected.
A proof-of-concept confirmed that both carriage return and newline characters are consistently stripped without triggering any validation alerts, making this vulnerability particularly dangerous in live deployments where ModSecurity is expected to act as a robust security boundary.
What You Should Do
- Upgrade Immediately: All users of ModSecurity are strongly advised to upgrade to version 3.0.16 without delay. This version includes fixes for both vulnerabilities.
- Review Rulesets: Organizations should thoroughly review their ModSecurity rulesets, especially those that rely on input transformations (like
utf8toUnicode) and multipart parsing, to ensure they behave as expected under various input conditions. - Avoid i386 Deployments: For those unable to upgrade immediately, it is recommended to avoid deploying ModSecurity on i386 systems due to the specific architectural vulnerability in CVE-2026-52761.
- Monitor for Anomalies: Increase vigilance for unusual activity or unexpected application behavior that might indicate a WAF bypass, particularly in applications handling multipart form data.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.