AWS WAF Body-Inspection Bypass (CVE-2026-13762/13763, CVSS 9.8): Attacks Can Slip Past on CloudFront and the Load Balancer

On Amazon's cloud, "AWS," two serious vulnerabilities have been found in "AWS WAF," the feature that protects websites and apps from attacks. By sending attack traffic in small fragments, the WAF can fail to inspect the whole body, letting malicious data pass straight through. The identifiers are CVE-2026-13762 (for CloudFront) and CVE-2026-13763 (for the load balancer), both at CVSS 9.8 out of 10. AWS published its security information on June 29, 2026.

A WAF (Web Application Firewall) is a "wall of defense" that stops malicious traffic such as SQL injection (attacks that manipulate a database) at the entrance. Many companies place a WAF in front of AWS's delivery service "CloudFront" or the load-balancing "Application Load Balancer (ALB)" to protect their sites and APIs. That wall had a gap. CVE-2026-13762 for CloudFront is already fixed on the AWS side and requires no customer action, but CVE-2026-13763 for the load balancer requires customers to change a setting themselves. The details are summarized in AWS's official security bulletin (2026-048).

*CVSS values are per NVD (CVSS v3.1). Under CVSS v4.0, which AWS uses, the score is 7.9. Both require no login and can be triggered from outside.

Who is at risk, and what is the damage

This hole is exploited by attackers trying to send attack data, such as SQL injection, into websites or APIs protected by AWS WAF. A WAF normally inspects the body of incoming traffic and blocks it when it finds a dangerous pattern. For attackers, the WAF is a gate to break through — but this flaw, rather than breaking it head-on, hands them a way to slip past it. No login is required, and anyone can try it over the internet.

Here is the method. Using the newer protocol "HTTP/2," the attacker splits the attack body into multiple small pieces (frames) so that the WAF inspects only part of the body. After the WAF decides "nothing dangerous found" and lets it through, the server behind reassembles the split data and processes it — so the malicious content that evaded inspection reaches the app intact.

The essence of the damage is that defense you "believe is protecting you" is actually letting traffic through. If you rely on the WAF and keep app-side measures light, SQL injection or malicious input reaches the app behind it, potentially leading to data theft or tampering. The frightening part is that even a successful attack looks like ordinary traffic on the surface and is hard to notice. Attacks abusing fine details of the HTTP/2 protocol have repeatedly become an issue in recent years; we have also covered a vulnerability that abuses HTTP/2 to take down web servers.

What WAF, CloudFront, and the load balancer are

AWS WAF (Web Application Firewall) is a defense service that inspects traffic reaching websites and APIs and blocks what it deems an attack. It is commonly used by enabling "ready-made rule sets (managed rules)" that block SQL injection, cross-site scripting (embedding malicious scripts), and the like.

This WAF is not used on its own; it is combined with another service that stands at the entrance to traffic. Amazon CloudFront is a service (a CDN) that delivers content quickly from points placed around the world. Application Load Balancer (ALB) is a load-balancing service that distributes many requests across multiple servers. Both sit at the front line of a web service, with the WAF inspecting traffic just ahead of them. These vulnerabilities affect the widely used AWS patterns of "WAF + CloudFront" and "WAF + ALB."

The two vulnerabilities, one by one

CVE-2026-13762: WAF bypass via CloudFront (already fixed)

In configurations with AWS WAF placed in front of CloudFront, a crafted, fragmented HTTP/2 request could make body inspection incomplete, letting attack data that the WAF should block slip through. This one is already fixed on AWS's servers, and there is nothing for customers to do. Simply using CloudFront means you are already protected.

CVE-2026-13763: WAF bypass via the load balancer (ALB) (config change needed)

In configurations combining AWS WAF with an Application Load Balancer target group that has HTTP/2 enabled, an HTTP/2 request split across multiple frames could cause only part of the body to be inspected. Unlike CloudFront, this one requires a configuration change on the customer side. AWS provided a remediation setting on May 22, 2026; by switching the HTTP/2 traffic in the target group attributes to a behavior that "inspects with the WAF after sufficient data has accumulated," the full body gets inspected.

Why "splitting" slips past inspection

The key here is the mechanism of the protocol "HTTP/2." In HTTP/2, the body of a single request can be sent split into multiple pieces called "frames." The inspecting side (the WAF) and the processing side (the app server) should reassemble these pieces the same way and see the same content. But if the WAF judges after seeing only part of the body, the "content being seen" diverges between the inspector and the processor.

The attacker deliberately creates this divergence. By splitting so that dangerous data is pushed beyond the range the WAF inspects (into later frames), the WAF judges "no problem," and only the server behind receives and processes that dangerous data. This class of problem, where the inspector and processor interpret things differently, is called "HTTP request smuggling" (CWE-444). The fix is to have the WAF inspect the body to the end (after enough has accumulated), eliminating the divergence.

What to do now

The response differs by service. CloudFront (CVE-2026-13762) is auto-fixed by AWS, so there is no customer action. On the other hand, if you use Application Load Balancer (CVE-2026-13763) with a WAF and HTTP/2 enabled, a configuration change is required. In the target group attributes, switch the behavior for inspecting HTTP/2 traffic with the WAF to one that inspects after the data has accumulated. For exact steps, see AWS's security information and the target group documentation.

The first step is to inventory your own setup: where you place the WAF, which service (CloudFront / ALB) it is combined with, and whether HTTP/2 is enabled. If you rely on the WAF's body inspection to stop attacks, prioritize the ALB configuration change. At the same time, remember that a WAF is just one layer of defense-in-depth; thorough input validation and safe parameter handling on the app side are the ultimate safeguard against such bypasses.

Summary

CVE-2026-13762 and CVE-2026-13763 are flaws where AWS WAF fails to fully inspect the body of fragmented HTTP/2 requests, letting attack data slip through. The CloudFront one is auto-fixed by AWS and needs no action; the load balancer (ALB) one requires a customer configuration change. Because it is a gap in the "wall of defense" that is a WAF, users of the affected configurations should check promptly.

Even with a defense service in place, your protection collapses if the details of its mechanism are exploited. Take this as a chance to not leave everything to the WAF, and to review both your configuration inventory and your app-side measures together.

FAQ

References

• ・AWS — Security Bulletin 2026-048 (CVE-2026-13762 / CVE-2026-13763)
• ・NVD — CVE-2026-13762 (CloudFront)
• ・NVD — CVE-2026-13763 (Application Load Balancer)
• ・AWS — Target groups (ALB) documentation
• ・AWS — AWS WAF
• ・MITRE — CWE-444 (HTTP Request Smuggling)