Description
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.



To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
Published: 2026-06-29
Score: 7.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AWS Application Load Balancer processes HTTP/2 requests inconsistently when the WAF is enabled, allowing a remote actor to fragment a request body across frames so that only a partial body is inspected by AWS WAF. The vulnerability is a cross‑decoding issue (CWE‑444) and enables malicious payloads to evade WAF rules that normally inspect the entire request body. The resulting impact is the loss of protection that the WAF provides for the target application.

Affected Systems

The affected systems are Amazon Web Services Application Load Balancers that have AWS WAF enabled on target groups using HTTP/2. Only HTTP/2 target groups are impacted; the vulnerability does not exist for HTTP/1.x traffic or for App Load Balancer configurations without WAF.

Risk and Exploitability

With a CVSS score of 7.9 the severity is considered high. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker sending a crafted HTTP/2 request that splits a malicious payload across multiple frames, so the WAF sees only a benign fragment. The exploit conditions require the attacker to have network access to the ALB endpoint and the ALB must be configured to evaluate WAF rules only after reading sufficient body data. Because the exploit is possible but no public exploitation has been reported, the risk is moderate to high depending on the exposure of the target application.

Generated by OpenCVE AI on June 29, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable the "Inspect after sufficient data" target group configuration for the Application Load Balancer as described in the AWS documentation.
  • Ensure that WAF rules are attached to the target group so that after the configuration is enabled, the full request body is inspected by the WAF.
  • Verify the configuration by sending test HTTP/2 requests that fragment the body and confirm that the WAF rules trigger appropriately; monitor ALB logs for any fragmented requests that may bypass inspection.

Generated by OpenCVE AI on June 29, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
Title HTTP/2 Stream Parser Confusion Body-Inspection Bypass in AWS Application Load Balancer with AWS WAF
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-29T20:50:47.650Z

Reserved: 2026-06-29T18:29:10.941Z

Link: CVE-2026-13763

cve-icon Vulnrichment

Updated: 2026-06-29T20:50:42.732Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')