Bulletin ID: 2026-048-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/29/2026 13:15 PM PDT

Description:

AWS WAF is a web application firewall that monitors the HTTP(S) requests that are forwarded to your protected web application resources. We identified CVE-2026-13762 and CVE-2026-13763, which are issues affecting HTTP/2 multi-frame request body inspection by AWS WAF.

CVE-2026-13762 affects AWS WAF deployment with CloudFront. This issue was remediated server-side; no customer action is required.

CVE-2026-13763 affects AWS WAF deployment with AWS Application Load Balancer (ALB). Under certain conditions, a crafted multi-frame HTTP/2 request could cause only a partial request body to be inspected. This issue has been addressed on ALB, and customers can ensure full protection by configuring how AWS WAF inspects HTTP/2 request bodies on their ALB.

Resolution:

On May 22, 2026, we released a new configuration option on ALB, which addresses this issue. We recommend that customers review and update the WAF HTTP/2 traffic inspection behavior under target group attributes for HTTP/2 endpoints. This enables ALB to accumulate HTTP/2 data frames before AWS WAF performs inspection. For detailed instructions, refer to the developer guide.

Workarounds:

No workarounds are available.

References:

• CVE-2026-13762
• CVE-2026-13763

Please email aws-security@amazon.com with any security questions or concerns.