Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.
To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
References
Configurations
History
01 Jul 2026, 19:51
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://aws.amazon.com/security/security-bulletins/2026-048-aws/ - Vendor Advisory | |
| References | () https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection - Product | |
| First Time |
Amazon application Load Balancer
Amazon |
|
| CPE | cpe:2.3:a:amazon:application_load_balancer:-:*:*:*:*:*:*:* |
29 Jun 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-29 20:17
Updated : 2026-07-01 19:51
NVD link : CVE-2026-13763
Mitre link : CVE-2026-13763
CVE.ORG link : CVE-2026-13763
JSON object : View
Products Affected
amazon
- application_load_balancer
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
