CVE-2026-13762
Received Received - Intake

HTTP/2 Request Fragmentation Bypass in AWS WAF with CloudFront

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: AMZN

Description
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13762

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
amazon web_services_aws_waf *
amazon cloudfront *
amazon application_load_balancer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves an inconsistent interpretation of HTTP/2 requests in Amazon CloudFront when AWS WAF is enabled. Specifically, remote attackers can craft HTTP/2 requests that fragment the request body across multiple frames, causing AWS WAF's managed rule body inspection to only partially inspect the request body. This partial inspection can allow malicious requests to bypass the security rules intended to protect the application.

Impact Analysis

The impact of this vulnerability is that attackers might bypass AWS WAF protections by exploiting the fragmented HTTP/2 request bodies. This means that malicious payloads could reach your application without being fully inspected or blocked by AWS WAF, potentially leading to unauthorized access, data exposure, or other security breaches.

However, this issue was remediated server-side by AWS for CloudFront, and no customer action is required to protect against this vulnerability in that environment.

Detection Guidance

This vulnerability involves inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled, specifically related to multi-frame request body inspection.

However, there are no specific detection commands or methods provided to identify this vulnerability on your network or system.

Additionally, no workarounds or detection techniques are mentioned for this issue.

Mitigation Strategies

The vulnerability in Amazon CloudFront with AWS WAF enabled was remediated server-side, and no customer action is required to mitigate it.

For related vulnerabilities affecting AWS Application Load Balancer (ALB), customers should review and update the WAF HTTP/2 traffic inspection behavior under target group attributes for HTTP/2 endpoints to enable ALB to accumulate HTTP/2 data frames before inspection.

Since this CVE specifically concerns CloudFront, no immediate mitigation steps are necessary on your part.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart