Improper Handling of Case Sensitivity in OWASP ModSecurity Core Rule Set (CRS) - CVE-2026-33691
Published: April 21, 2026
Vulnerability identifier: #VU126712
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33691
CWE-ID: CWE-178
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OWASP
Affected software:
OWASP ModSecurity Core Rule Set (CRS)
OWASP ModSecurity Core Rule Set (CRS)
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper handling of whitespace in file upload extension checks in file upload detection rules 933110, 933111, and 944140 when processing uploaded filenames. A remote attacker can upload a file with a whitespace-padded dangerous extension to execute arbitrary code.
Exploitation is environment-dependent and requires a backend that normalizes or strips whitespace from filenames before executing uploaded files.
How to mitigate CVE-2026-33691
Install security update from vendor's website.