CVE-2026-13762
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
Risk Assessment
The risk is that malicious content may not be fully inspected by AWS WAF, potentially leading to security policy violations and attacks on the application.
Recommendation
It is recommended to ensure that the environment uses the latest version of CloudFront and AWS WAF, as the issue has been remediated server-side and no customer action is required.
Original NVD description (English source)
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.

