SB2026042189 - Improper Handling of Case Sensitivity in OWASP ModSecurity Core Rule Set (CRS)

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-33691)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper handling of whitespace in file upload extension checks in file upload detection rules 933110, 933111, and 944140 when processing uploaded filenames. A remote attacker can upload a file with a whitespace-padded dangerous extension to execute arbitrary code.

Exploitation is environment-dependent and requires a backend that normalizes or strips whitespace from filenames before executing uploaded files.

Remediation

Install update from vendor's website.

References

• https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
• https://github.com/advisories/GHSA-rw5f-9w43-gv2w