Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, unauthenticated, low-complexity HTTP/2 trigger (AV:N/AC:L/PR:N/UI:N); scope changes to the protected origin (S:C) with high integrity impact from smuggled payloads, while the bypass alone causes no direct disclosure or denial (C:N/A:N).
Primary rating from Vendor (AMZN).
CVSS VectorVendor: AMZN
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
AnalysisAI
WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be served through Amazon CloudFront WITH AWS WAF enabled AND a managed rule configured to perform request body inspection - without that WAF body-inspection deployment there is nothing to bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | AWS's CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated trigger, with no impact to the vulnerable system (VC:N/VI:N/VA:N) but HIGH subsequent-system impact (SC:H/SI:H/SA:H) - correctly modeling that the damage lands on the protected origin behind CloudFront, not CloudFront itself, yielding a 7.9 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a web application behind CloudFront+AWS WAF crafts an HTTP/2 request that splits a malicious payload (such as a SQL injection or command-injection string) across multiple DATA frames so the WAF inspects only a benign-looking partial body. The full body reassembles at the origin and executes the attack the managed rule was meant to block. … |
| Remediation | Patch available per vendor advisory - AWS states the issue was remediated server-side with no customer action required, so no upgrade, redeployment, or configuration change is needed on the customer side. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Confirm all CloudFront distributions have AWS WAF enabled; request AWS account confirmation that server-side remediation is deployed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40220
GHSA-9jjc-h3c2-fw2v