News·4 min read

ModSecurity Flaws Let Attackers Bypass WAF Rules and Request-Body Inspection

Two newly disclosed vulnerabilities in ModSecurity, the widely deployed open-source Web Application Firewall (WAF) engine, could allow attackers to bypass detection rules entirely. Both flaws affect M

CS
CyberShield Team
2026-07-06
Share:
ModSecurity Flaws Let Attackers Bypass WAF Rules and Request-Body Inspection

Two newly disclosed vulnerabilities in ModSecurity, the widely deployed open-source Web Application Firewall (WAF) engine, could allow attackers to bypass detection rules entirely. Both flaws affect ModSecurity versions up to 3.0.15 and are fixed in the newly released 3.0.16. Critical ModSecurity Flaws The first issue, tracked as CVE-2026-52761 (CVSS 3.1: 5.3, Moderate), lies in the […] The post ModSecurity Flaws Let Attackers Bypass WAF Rules and Request-Body Inspection appeared first on Cyber Security News.

Two newly disclosed vulnerabilities in ModSecurity, the widely deployed open-source Web Application Firewall (WAF) engine, could allow attackers to bypass detection rules entirely. Both flaws affect ModSecurity versions up to 3.0.15 and are fixed in the newly released 3.0.16. Critical ModSecurity Flaws The first issue, tracked as CVE-2026-52761 (CVSS 3.1: 5.3, Moderate), lies in the t:utf8toUnicode transformation used by ModSecurity rules to normalize UTF-8 input before pattern matching. Researcher theseion, working with the Coreruleset team, discovered the bug while testing container images on i386 architecture. The root cause traces to utf8_to_unicode.cc, where snprintf() incorrectly uses sizeof(reinterpret_cast<char *>(unicode)) the size of a pointer instead of the actual buffer length. On 64-bit systems, a pointer is 8 bytes, which coincidentally matches the buffer size, masking the bug. On i386, however, pointers are only 4 bytes, causing the transformation to truncate output incorrectly. Any rule relying on t:utf8toUnicode for input normalization on i386 systems can be bypassed, since the transformed value won’t match what the rule expects. This is classified under CWE-467 (Use of sizeof() on a Pointer Type). Maintainer airween published the advisory as GHSA-qjgm-7gp4-f8qq, with the workaround being to migrate away from i386 until a patch is available. The more severe flaw, CVE-2026-52747 (CVSS 3.1: 7.5, High), affects libmodsecurity’s multipart/form-data parser and carries a High integrity impact. Reported by sondt99 and dungNHVhust, this bug silently strips embedded line breaks (\r\n or \n) from non-file form-field values before they’re exposed to ARGS and ARGS_POST variables. In practice, a field value like A\r\nB gets flattened to AB before rule evaluation even though the backend application receiving the same request preserves the original line break. This creates a parser differential: WAF rules see one value while the application sees another. The bug lives in src/request_body_processor/multipart.cc, where reserved buffer bytes are meant to be prepended to new data via d.assign() followed by another d.assign() call except the second call overwrites the string instead of appending to it, silently discarding the reserved bytes. File-upload parts don’t share this flawed code path, only non-file form fields. What makes this particularly dangerous is that ModSecurity’s built-in strict multipart validation variables like MULTIPART_STRICT_ERROR, MULTIPART_LF_LINE, and MULTIPART_CRLF_LF_LINES fail to flag the anomaly, remaining at zero even when the exploit succeeds. Since the default modsecurity.conf-recommended configuration enables SecRequestBodyAccess On and automatically routes multipart/form-data content through this vulnerable parser, most standard deployments are exposed. Attackers could exploit this to smuggle payloads where a line break is semantically significant, such as multiline injection vectors or delimiter-dependent attack signatures, past phase:2 rule inspection, effectively defeating request-body-based detection. This is categorized under CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize). Mitigation Both issues are fixed in ModSecurity 3.0.16. The suggested code fix for CVE-2026-52747 replaces the overwriting d.assign() call with d.append() to preserve reserved bytes across chunk boundaries. Organizations running ModSecurity in production should: Upgrade to version 3.0.16 immediately Avoid i386 deployments until fully patched Add regression tests for multipart fields containing embedded \r\n and \n sequences Review WAF logs for anomalous multipart traffic that may indicate prior exploitation attempts Given that ModSecurity underpins WAF protections across countless web applications, both flaws underscore how subtle parsing and casting bugs can quietly erode a security control’s core promise: seeing what the backend sees. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post ModSecurity Flaws Let Attackers Bypass WAF Rules and Request-Body Inspection appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.