Skip to main content

Amazon CloudFront CVE-2026-13762

| EUVDEUVD-2026-40220 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-06-29 AMZN GHSA-9jjc-h3c2-fw2v
7.9
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
7.9 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Remote, unauthenticated, low-complexity HTTP/2 trigger (AV:N/AC:L/PR:N/UI:N); scope changes to the protected origin (S:C) with high integrity impact from smuggled payloads, while the bypass alone causes no direct disclosure or denial (C:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 20:30 vuln.today
Severity Changed
Jun 29, 2026 - 20:22 NVD
CRITICAL HIGH
CVSS changed
Jun 29, 2026 - 20:22 NVD
9.8 (CRITICAL) 7.9 (HIGH)

DescriptionCVE.org

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.

This issue was remediated server-side. No customer action is required.

AnalysisAI

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target behind CloudFront+AWS WAF
Delivery
Craft malicious HTTP/2 request body
Exploit
Fragment body across DATA frames
Execution
WAF inspects only partial body
Persist
Full payload reassembles at origin
Impact
Blocked attack reaches application

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be served through Amazon CloudFront WITH AWS WAF enabled AND a managed rule configured to perform request body inspection - without that WAF body-inspection deployment there is nothing to bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment AWS's CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated trigger, with no impact to the vulnerable system (VC:N/VI:N/VA:N) but HIGH subsequent-system impact (SC:H/SI:H/SA:H) - correctly modeling that the damage lands on the protected origin behind CloudFront, not CloudFront itself, yielding a 7.9 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a web application behind CloudFront+AWS WAF crafts an HTTP/2 request that splits a malicious payload (such as a SQL injection or command-injection string) across multiple DATA frames so the WAF inspects only a benign-looking partial body. The full body reassembles at the origin and executes the attack the managed rule was meant to block. …
Remediation Patch available per vendor advisory - AWS states the issue was remediated server-side with no customer action required, so no upgrade, redeployment, or configuration change is needed on the customer side. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Confirm all CloudFront distributions have AWS WAF enabled; request AWS account confirmation that server-side remediation is deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy