Main Vulnerability Database Vulnerabilities #VU135853

Incorrect Behavior Order: Validate Before Canonicalize in ModSecurity - CVE-2026-52747

Published: June 29, 2026

Vulnerability identifier: #VU135853

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-52747

CWE-ID: CWE-180

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Trustwave

Affected software:
ModSecurity

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass request-body inspection.

The vulnerability exists due to incorrect behavior order: validate before canonicalize in the libmodsecurity multipart/form-data request body parser when processing non-file multipart form-field values containing embedded line breaks. A remote attacker can send a specially crafted multipart/form-data request to bypass request-body inspection.

The issue affects values exported to ARGS and ARGS_POST, while built-in multipart strict-validation variables can remain clear.

How to mitigate CVE-2026-52747

Install security update from vendor's website.

Sources

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88

Incorrect Behavior Order: Validate Before Canonicalize in ModSecurity - CVE-2026-52747

Detailed vulnerability description

How to mitigate CVE-2026-52747

Sources

Please verify you're human