CVE-2026-13763

Received Received - Intake

HTTP/2 Request Fragmentation Bypass in AWS ALB

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: AMZN

Description

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-13763

Affected Vendors & Products

Vendor	Product	Version / Range
amazon	web_services_application_load_balancer	*
amazon	aws_application_load_balancer	From 2026-05-22 (inc)
amazon	aws_waf	*
amazon	aws_elastic_load_balancing	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-444	The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

Compliance Impact

The provided information does not specify how CVE-2026-13763 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability involves an inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer (ALB) when AWS WAF is enabled. Remote attackers can exploit this by sending specially crafted HTTP/2 requests that fragment the request body across multiple frames. Because only a partial body is inspected by AWS WAF managed rules, this allows attackers to bypass the body inspection feature of AWS WAF. This issue specifically affects HTTP/2 ALB target groups.

To fix this, customers should enable the "Inspect after sufficient data" configuration on the target group associated with the ALB load balancer.

Impact Analysis

This vulnerability can allow remote attackers to bypass AWS WAF's managed rule body inspection by exploiting the way HTTP/2 request bodies are fragmented and inspected. As a result, malicious payloads might pass through the WAF undetected, potentially leading to unauthorized access, data breaches, or other security incidents depending on the nature of the application protected by the ALB.

Mitigation Strategies

To remediate the vulnerability in AWS Application Load Balancer with AWS WAF enabled, customers should enable the "Inspect after sufficient data" target group configuration associated with the ALB load balancer.

This configuration ensures that the AWS WAF inspects the full HTTP/2 request body rather than partial fragments, preventing attackers from bypassing WAF managed rule body inspection via crafted HTTP/2 requests.

Refer to the AWS documentation for detailed instructions on how to enable this setting: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection

Detection Guidance

This vulnerability involves crafted HTTP/2 requests that fragment the request body across frames, causing partial inspection by AWS WAF on Application Load Balancers (ALB). Detection would require monitoring for unusual or fragmented HTTP/2 request bodies that could bypass WAF inspection.

There are no specific commands or direct detection methods provided in the available resources to identify exploitation attempts or presence of this vulnerability on your network or system.

The recommended mitigation is to enable the "Inspect after sufficient data" target group configuration on the ALB, which ensures AWS WAF fully inspects HTTP/2 request bodies by accumulating data frames before inspection.

Hi! I’m here to help you understand CVE-2026-13763. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70