CVE Catalog

CVE-2026-13762

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.

Risk Assessment

The risk is that malicious content may not be fully inspected by AWS WAF, potentially leading to security policy violations and attacks on the application.

Recommendation

It is recommended to ensure that the environment uses the latest version of CloudFront and AWS WAF, as the issue has been remediated server-side and no customer action is required.

Original NVD description (English source)

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS