CVE Catalog

CVE-2026-13763

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

38th percentile — higher than 38% of all known CVEs

Summary

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.

Risk Assessment

The risk involves the possibility of sending malicious content that is not fully inspected by AWS WAF, potentially leading to application security breaches such as SQL injection or XSS attacks.

Recommendation

It is recommended to enable the 'Inspect after sufficient data' target group configuration for ALB to ensure full inspection of HTTP/2 request bodies.

Original NVD description (English source)

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

Vulnerability data from NVD (NIST) · CISA KEV · EPSS