Multiple ModSecurity Vulnerabilities Allow Attackers to Bypass Firewall Rules
OWASP ModSecurity versions up to 3.0.15 contain vulnerabilities that allow attackers to bypass firewall rules, impacting security for web applications.

OWASP ModSecurity, a widely adopted open-source web application firewall (WAF), is affected by multiple vulnerabilities that could allow attackers to bypass its security rules. The flaws, identified as CVE-2026-52761 and CVE-2026-52747, impact versions prior to 3.0.16, which has since been released to address these issues.
The first vulnerability, CVE-2026-52761, is a moderate-severity flaw present in the utf8toUnicode transformation process, specifically on 32-bit (i386) systems. This transformation is crucial for normalizing input data before it is inspected by ModSecurity rules. The vulnerability arises from an incorrect use of the sizeof() operator on a pointer type, leading to truncated or malformed output. On 32-bit architectures, this results in only 4 bytes being processed instead of the intended buffer size. While this bug is largely inconsequential on 64-bit systems due to the pointer size coincidentally matching the expected buffer size, it creates a significant blind spot on i386 systems. Attackers can exploit this by crafting payloads that evade detection by rules relying on this flawed transformation, effectively bypassing firewall protections.
Researchers pinpointed the root cause of CVE-2026-52761 to improper buffer handling within multiple transformation code sections. A temporary workaround suggested for organizations unable to patch immediately is to avoid using ModSecurity on i386 systems. This highlights the critical importance of architecture-specific testing in security software.
The second vulnerability, CVE-2026-52747, is rated as high severity due to its direct impact on the integrity of request inspection. This flaw resides within the multipart/form-data parser in libmodsecurity. It becomes exploitable when processing non-file form fields that contain embedded line breaks, such as carriage return (CR) and line feed (LF) sequences. Instead of preserving these line breaks, the parser silently strips them before the data is passed to ModSecurity rules. For instance, a payload like "A\r\nB" would be transformed into "AB" during inspection.
This discrepancy is particularly dangerous because backend applications typically retain the original formatting. The mismatch between what the firewall inspects and what the application processes allows attackers to conceal malicious input that relies on specific line break formatting, such as certain injection payloads or exploits targeting parser logic. The issue stems from a logic error where previously buffered data is overwritten rather than appended during the multipart parsing process.
Adding to the severity, ModSecurity's built-in strict validation mechanisms fail to detect this anomaly. Indicators like MULTIPART_STRICT_ERROR remain unset, allowing the malicious input to pass through without triggering any alerts. Proof-of-concept demonstrations have confirmed that both CR and LF characters are consistently stripped, while validation checks remain clear, making this vulnerability a significant threat in real-world deployments where ModSecurity acts as a primary security boundary.
Security experts strongly recommend upgrading to ModSecurity version 3.0.16 immediately, as it contains fixes for both CVE-2026-52761 and CVE-2026-52747. Organizations should also conduct a thorough review of their existing rulesets, particularly those involving input transformations and multipart parsing, to ensure they function as expected across different input conditions and system architectures. These vulnerabilities serve as a stark reminder of the risks associated with parser inconsistencies and architecture-specific bugs, even in widely trusted security tools.