Critical vulnerabilities have been identified in the OWASP ModSecurity, a popular open-source web application firewall (WAF). These security gaps allow attackers to circumvent firewall rules under specific circumstances, posing a substantial threat to web applications.
Details of the Vulnerabilities
The identified vulnerabilities, labeled as CVE-2026-52761 and CVE-2026-52747, impact ModSecurity versions up to 3.0.15. Security patches addressing these flaws have been implemented in version 3.0.16.
CVE-2026-52761 is a moderate-severity issue affecting the utf8toUnicode transformation on i386 (32-bit) systems. This transformation is widely used to normalize input data before inspection. However, an improper use of the sizeof() operator leads to incorrect output, as it calculates the size of a pointer rather than the actual buffer length. Consequently, only 4 bytes are processed, allowing attackers to evade detection on i386 systems.
Impact on System Architecture
The vulnerability becomes less apparent on 64-bit systems due to the pointer size matching the expected buffer size. However, on i386 systems, this inconsistency can allow malicious payloads to bypass security checks. Security rules relying on this transformation may therefore fail to detect harmful input.
Researchers have pointed out that the issue arises from improper buffer management in the transformation code. They advise against using ModSecurity on i386 systems until the necessary patches are applied.
Severe Multipart Parsing Flaw
The second vulnerability, CVE-2026-52747, is deemed more severe and impacts the integrity of request inspections. This flaw is found in the multipart/form-data parser within libmodsecurity. When processing non-file-form fields containing line breaks, the parser removes these characters before passing the data to ModSecurity rules, creating a mismatch between the firewall’s and the application’s view of the input.
This inconsistency allows attackers to conceal malicious inputs, such as certain injection payloads, that depend on line breaks. The problem stems from a logic error where buffered data is overwritten rather than appended during parsing, with ModSecurity’s strict validation mechanisms failing to detect these anomalies.
Recommendations and Future Outlook
Security experts strongly recommend updating to version 3.0.16 to mitigate these vulnerabilities. Additionally, organizations should review and adjust rulesets that depend on input transformations and multipart parsing to ensure they function as intended across various input conditions.
These vulnerabilities underscore the potential risks associated with parser inconsistencies and architecture-specific bugs in security tools. Even robust defenses like ModSecurity can have blind spots if input handling is not meticulously validated across all operating environments.
