CVE-2026-13762
published 2026-06-29CVE-2026-13762: Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.6th percentile
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aws | amazon_cloudfront | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
AWS Amazon CloudFront Request Body request smuggling
vuldb·2026-06-30·CVSS 9.8
CVE-2026-13762 [CRITICAL] AWS Amazon CloudFront Request Body request smuggling
A vulnerability classified as critical was found in AWS Amazon CloudFront. This vulnerability affects unknown code of the component Request Body Handler. Such manipulation leads to http request smuggling.
This vulnerability is documented as CVE-2026-13762. The attack can be executed remotely. There is not any exploit available.
This product is a managed service, indicating that users are not permitted to maintain vulnerability countermeasures themselves.
GHSA
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragm
ghsa_unreviewed·2026-06-29
CVE-2026-13762 [HIGH] CWE-444 Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragm
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-29
Published