CVE-2026-13763

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:application_load_balancer:-:*:*:*:*:*:*:*

History

01 Jul 2026, 19:51

Type Values Removed Values Added
References () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - Vendor Advisory
References () https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection - () https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection - Product
First Time Amazon application Load Balancer
Amazon
CPE cpe:2.3:a:amazon:application_load_balancer:-:*:*:*:*:*:*:*

29 Jun 2026, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-29 20:17

Updated : 2026-07-01 19:51


NVD link : CVE-2026-13763

Mitre link : CVE-2026-13763

CVE.ORG link : CVE-2026-13763


JSON object : View

Products Affected

amazon

  • application_load_balancer
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')