CVE-2026-33691
OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
In plain language
AI Worth attentionThis OWASP ModSecurity Core Rule Set lets an attacker sneak dangerous file types past upload “extension checks” by adding extra spaces in the filename; update your CRS rules if you’re on versions earlier than 3.3.9 or 4.25.0.
OWASP ModSecurity Core Rule Set has a filename-parsing weakness (CWE-178) where whitespace padding can bypass upload extension checks, enabling upload of dangerous extensions (for example, .php or .jsp) without normalization; this is fixed in 3.3.9 and 4.25.0.
What to do now
- Check which OWASP ModSecurity Core Rule Set (coreruleset) version your web application firewall is running.
- If your version is earlier than 3.3.9 (for the affected branch) or earlier than 4.25.0 (for the affected branch), plan an update immediately.
- Upgrade OWASP ModSecurity Core Rule Set to version 3.3.9 or 4.25.0 (whichever matches your branch/version line).
- After updating, test a safe upload flow and confirm your WAF still blocks dangerous-extension uploads (with any filename whitespace variations).
CVSS Vector Breakdown
AV:NAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:CScopeC:NConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
References
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Authen·The Hacker News·
- Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)en·watchTowr Labs·
- Critical Kemp LoadMaster Flaws Expose Network Appliances to RCEen-us·Daily CyberSecurity (securityonline.info)· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-33691 and every CVE in our database. Create a free account — no credit card required.
Create Free Account