Skip to main content

AWS Application Load Balancer EUVDEUVD-2026-40221

| CVE-2026-13763 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-06-29 AMZN GHSA-9m3p-hghr-5v6c
7.9
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
7.9 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Network, unauthenticated, low-complexity WAF bypass with scope change to the backend; integrity-high from smuggled content reaching the app, confidentiality low and availability not directly affected.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 20:32 vuln.today
Severity Changed
Jun 29, 2026 - 20:22 NVD
CRITICAL HIGH
CVSS changed
Jun 29, 2026 - 20:22 NVD
9.8 (CRITICAL) 7.9 (HIGH)

DescriptionCVE.org

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.

To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

AnalysisAI

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify ALB with WAF and HTTP/2 target group
Delivery
Craft HTTP/2 request fragmenting body across DATA frames
Exploit
WAF inspects only partial body
Execution
Malicious payload bypasses managed rules
Persist
Full body reassembled at backend
Impact
Backend processes unfiltered attack

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target be an AWS ALB with AWS WAF enabled AND serving an HTTP/2 target group - HTTP/1.x target groups are explicitly not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment AWS's CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated condition with no special attack requirements, which favors exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a public web application sitting behind an HTTP/2-enabled ALB with AWS WAF managed rules, and sends a crafted HTTP/2 request that splits a malicious payload (e.g., a SQL injection or command string) across multiple DATA frames so WAF inspects only the harmless leading fragment. The full reassembled body - including the malicious portion WAF never saw - reaches the backend application and is processed, defeating the managed-rule protection. …
Remediation Patch available per vendor advisory in the form of a configuration remediation: enable the 'Inspect after sufficient data' target group attribute on the target group associated with the affected ALB, as documented at https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection, which forces WAF to buffer enough of the request body before inspection so fragmented bodies are fully evaluated. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Application Load Balancers with AWS WAF enabled serving HTTP/2 traffic and document WAF rule coverage for each target group. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy