HTTP/2 Request Interpretation Flaw in AWS Application Load Balancer
CVE-2026-13763

7.9HIGH

Key Information:

Vendor: Aws
Status: Aws Application Load Balancer
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13763?

A security flaw exists in the AWS Application Load Balancer when using HTTP/2, enabling remote attackers to potentially evade AWS WAF's managed rule body inspection. This occurs through specially crafted HTTP/2 requests that partition the request body across frames, resulting in only a portion of the body being scrutinized. This vulnerability is limited to target groups using HTTP/2 in ALB. To mitigate the risk, users are advised to configure the 'Inspect after sufficient data' settings for their ALB load balancer.

Affected Version(s)

AWS Application Load Balancer 0

References

https://docs.aws.amazon.com/elasticloadbalancing/latest/a...

mitigation

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13763 Data

JSON

Aws

What is CVE-2026-13763?

Affected Version(s)

References

CVSS V4

Timeline