CloudFront AWS WAF HTTP/2 Body Inspection Bypass
CVE-2026-13762 Published on June 29, 2026
HTTP/2 Stream Parser Confusion Body-Inspection Bypass in Amazon CloudFront with AWS WAF
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
Vulnerability Analysis
CVE-2026-13762 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2026-13762 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2026-13762
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.