ModSecurity — the open-source web application firewall that fronts a huge share of Apache and NGINX installs — has two newly disclosed flaws that let attackers sneak malicious HTTP requests past its inspection. The more serious one (CVE-2026-52747, High) is a parser differential in the multipart/form-data handler: ModSecurity strips embedded line breaks from form fields before your rules ever see them, so a payload that looks harmless to the WAF can still reach the backend intact. The second (CVE-2026-52761, Moderate) makes a Unicode transformation produce wrong output on 32-bit (i386) systems, silently blinding rules that depend on it. Both were disclosed July 6, 2026 and are fixed in ModSecurity 3.0.16.
What the Vulnerability Is
CVE-2026-52747 — multipart parser strips line breaks (the dangerous one)
libmodsecurity’s multipart/form-data parser silently removes embedded \r\n or \n characters from non-file form fields before exposing their values to rules via the ARGS and ARGS_POST variables. So a value like A\r\nB is presented to your WAF rules as AB, while the backend application may still receive it with the line breaks intact. That gap between “what the WAF inspects” and “what the app processes” is a classic parser-differential vulnerability. Attackers use it to craft payloads that dodge any detection rule that relies on newlines — multi-line injection strings, delimiter-based signatures, and similar. Worse, ModSecurity’s own MULTIPART_STRICT_ERROR validation is not raised, so the malformed transformation is neither flagged nor blocked. A proof-of-concept reduced both CRLF- and LF-based payloads to a single line without tripping any alert (advisory GHSA-rcw9-2f5r-7p88).
CVE-2026-52761 — architecture-dependent transform bug
The t:utf8toUnicode transformation uses sizeof() on a pointer type instead of the actual buffer (CWE-467) inside an snprintf() call. On 64-bit systems the sizes happen to line up, so there’s no impact — but on 32-bit i386 systems (4-byte pointers) the transform produces truncated or incorrect Unicode output. Rules that rely on t:utf8toUnicode can therefore misread malicious payloads and fail to match them. It was found by the OWASP Core Rule Set (CRS) team during automated testing (advisory GHSA-qjgm-7gp4-f8qq). Rated Moderate; triggerable remotely, no auth or interaction needed.
Why It Matters
- Your WAF is the outer wall. ModSecurity often sits as the frontline filter in front of WordPress, custom PHP apps, and reverse proxies. A bypass means attacks you assumed were blocked (SQLi, XSS, command injection delivered via multipart forms) can reach the application.
- It’s silent. Both bugs defeat detection without raising errors or alerts, so logs won’t show a “blocked” event — the request simply looks clean.
- CRS rules are affected. Because the flaws live in input transformation and body parsing, even a well-tuned OWASP Core Rule Set deployment can be evaded.
- 32-bit hosts are a real blind spot. Plenty of legacy shared-hosting and appliance environments still run i386 builds where CVE-2026-52761 fully applies.
Am I Affected?
- You run ModSecurity 3.x (libmodsecurity) at version 3.0.15 or earlier as an Apache/NGINX module or in a reverse proxy — check with your package manager or
modsecurity -vwhere available. - CVE-2026-52747 applies to any deployment that inspects
multipart/form-datarequest bodies (file uploads, most HTML forms) — effectively everyone. - CVE-2026-52761 additionally applies if you run on 32-bit / i386 hardware or containers and use rules with the
t:utf8toUnicodetransformation (common in the OWASP CRS). - Managed WAFs (Cloudflare, AWS WAF, etc.) are separate products and are not what this advisory refers to — this is specifically the ModSecurity engine you self-host.
What to Do About It: Step-by-Step
Step 1: Upgrade to ModSecurity 3.0.16
This release fixes both CVEs and is the primary remediation.
# Debian / Ubuntu (package name may be libmodsecurity3 / modsecurity)
sudo apt update && sudo apt install --only-upgrade libmodsecurity3
# RHEL / Alma / Rocky
sudo dnf update libmodsecurity
If you build from source, pull the v3.0.16 tag and recompile your connector.
Step 2: Restart the fronting web server
So the updated library is loaded:
sudo systemctl restart nginx # or: sudo systemctl restart httpd / apache2
Step 3: Verify the running version
Don’t trust the package string alone if you compiled it:
modsecurity -v 2>/dev/null || nginx -V 2>&1 | tr ' ' '\n' | grep -i modsec
Step 4: If you can’t patch immediately, reduce exposure
- Turn on strict multipart validation so malformed bodies are rejected rather than silently mangled — ensure your ruleset enforces
MULTIPART_STRICT_ERROR(block on non-zero) and relatedREQBODY/MULTIPART_*checks. - For CVE-2026-52761 specifically, migrate off 32-bit/i386 hosts to a 64-bit build, where the transform bug does not manifest.
Step 5: Add backend validation
Because these are parser-differential issues, defense-in-depth at the application layer (canonicalize and validate input server-side) closes the gap even when the WAF and backend disagree.
Step 6: Regression-test your rules
After upgrading, replay known-bad multipart payloads (CRLF/LF variants) and confirm they’re now detected. Review any custom rules that depend on t:utf8toUnicode.
Quick-Win Checklist
- Identify your ModSecurity version (
modsecurity -v/ package manager). - Upgrade to 3.0.16 and restart NGINX/Apache.
- Confirm the loaded library is actually 3.0.16, not a cached build.
- Enable/verify
MULTIPART_STRICT_ERRORblocking as interim hardening. - Move any 32-bit/i386 WAF hosts to 64-bit.
- Add server-side input validation as defense-in-depth.
- Replay CRLF/LF multipart payloads to confirm detection is restored.