CVE-2026-13763: CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling') in AWS AWS Application Load Balancer
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
AI Analysis
Technical Summary
This vulnerability (CWE-444) arises from inconsistent parsing of HTTP/2 requests by AWS Application Load Balancer with AWS WAF enabled. Attackers can craft HTTP/2 requests that fragment the request body across multiple frames, causing AWS WAF to inspect only a partial body and potentially bypass managed rule inspections. The issue specifically impacts HTTP/2 ALB target groups. AWS provides a remediation by enabling the "Inspect after sufficient data" setting on the target group, which ensures complete request body inspection before WAF evaluation.
Potential Impact
Successful exploitation could allow remote attackers to bypass AWS WAF managed rule body inspection on HTTP/2 ALB target groups, potentially enabling malicious payloads to reach backend services undetected. The CVSS score of 9.8 indicates a critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Customers should enable the "Inspect after sufficient data" target group configuration for their ALB load balancers as documented in the AWS advisory (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection). This configuration ensures full request body inspection by AWS WAF and mitigates the vulnerability.
CVE-2026-13763: CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling') in AWS AWS Application Load Balancer
Description
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-444) arises from inconsistent parsing of HTTP/2 requests by AWS Application Load Balancer with AWS WAF enabled. Attackers can craft HTTP/2 requests that fragment the request body across multiple frames, causing AWS WAF to inspect only a partial body and potentially bypass managed rule inspections. The issue specifically impacts HTTP/2 ALB target groups. AWS provides a remediation by enabling the "Inspect after sufficient data" setting on the target group, which ensures complete request body inspection before WAF evaluation.
Potential Impact
Successful exploitation could allow remote attackers to bypass AWS WAF managed rule body inspection on HTTP/2 ALB target groups, potentially enabling malicious payloads to reach backend services undetected. The CVSS score of 9.8 indicates a critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Customers should enable the "Inspect after sufficient data" target group configuration for their ALB load balancers as documented in the AWS advisory (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection). This configuration ensures full request body inspection by AWS WAF and mitigates the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-06-29T18:29:10.941Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-048-aws/","vendor":"AWS"}]
Threat ID: 6a42d3d027e9c7971972c795
Added to database: 06/29/2026, 20:21:36 UTC
Last enriched: 06/29/2026, 20:36:24 UTC
Last updated: 06/30/2026, 00:16:34 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.