CVE-2026-13762

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:cloudfront:-:*:*:*:*:*:*:*

History

01 Jul 2026, 19:53

Type Values Removed Values Added
First Time Amazon
Amazon cloudfront
References () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - Vendor Advisory
CPE cpe:2.3:a:amazon:cloudfront:-:*:*:*:*:*:*:*

29 Jun 2026, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-29 20:17

Updated : 2026-07-01 19:53


NVD link : CVE-2026-13762

Mitre link : CVE-2026-13762

CVE.ORG link : CVE-2026-13762


JSON object : View

Products Affected

amazon

  • cloudfront
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')