Description
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.



This issue was remediated server-side. No customer action is required.
Published: 2026-06-29
Score: 7.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Amazon CloudFront, when coupled with AWS WAF, misinterpreted fragmented HTTP/2 request bodies, causing only a portion of the payload to be examined by managed rulebody inspection. This oversight permits remote actors to submit malicious content that evades all relevant WAF checks, potentially enabling payload delivery and subsequent exploitation of downstream services. The flaw corresponds to CWE‑444, reflecting a failure in secure parsing of network input.

Affected Systems

The affected system is Amazon CloudFront with AWS WAF enabled. No specific product version information is enumerated, implying that all currently deployed instances of CloudFront using WAF are impacted. Because the remediation was performed server‑side, no customer‑specific changes to CloudFront configuration are necessary.

Risk and Exploitability

The CVSS score of 7.9 denotes a high severity risk, while the EPSS score is currently unavailable, indicating limited data on exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote, internet‑based attacker sending crafted HTTP/2 requests to the CloudFront distribution; this inference is derived from the description’s mention of remote actors.

Generated by OpenCVE AI on June 29, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • No customer action required; the issue was remediated by AWS.
  • Ensure AWS WAF is enabled and that body‑inspection rules are correctly configured.
  • Enable CloudFront access logging and monitor for anomalous HTTP/2 request patterns that may indicate a bypass attempt.
  • Periodically review and update custom or managed rule groups to maintain robust request‑body inspection.

Generated by OpenCVE AI on June 29, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.
Title HTTP/2 Stream Parser Confusion Body-Inspection Bypass in Amazon CloudFront with AWS WAF
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-29T20:51:27.340Z

Reserved: 2026-06-29T18:29:10.458Z

Link: CVE-2026-13762

cve-icon Vulnrichment

Updated: 2026-06-29T20:51:22.455Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')