Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
References
| Link | Resource |
|---|---|
| https://aws.amazon.com/security/security-bulletins/2026-048-aws/ | Vendor Advisory |
Configurations
History
01 Jul 2026, 19:53
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Amazon
Amazon cloudfront |
|
| References | () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - Vendor Advisory | |
| CPE | cpe:2.3:a:amazon:cloudfront:-:*:*:*:*:*:*:* |
29 Jun 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-29 20:17
Updated : 2026-07-01 19:53
NVD link : CVE-2026-13762
Mitre link : CVE-2026-13762
CVE.ORG link : CVE-2026-13762
JSON object : View
Products Affected
amazon
- cloudfront
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
