HTTP/2 Request Interpretation Vulnerability in Amazon CloudFront
CVE-2026-13762

7.9HIGH

Key Information:

Vendor: Aws
Status: Amazon Cloudfront
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13762?

The vulnerability involves an inconsistency in the interpretation of HTTP/2 requests within Amazon CloudFront when AWS WAF is enabled. This allows remote attackers to potentially bypass body inspection managed by AWS WAF by crafting HTTP/2 requests that fragment the request body across different frames. As a result, only a partial body of the request is inspected, which can create a window for unauthorized actions. Fortunately, this issue has been resolved on the server side and does not require any action from customers.

Affected Version(s)

Amazon CloudFront 0

References

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13762 Data

JSON

Aws

What is CVE-2026-13762?

Affected Version(s)

References

CVSS V4

Timeline