Skip to main content

Aws Application Load Balancer

1 CVEs product

Monthly

CVE-2026-13763 HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Authentication Bypass Request Smuggling Aws Application Load Balancer
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
EPSS 0% CVSS 7.9
HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Authentication Bypass Request Smuggling Aws Application Load Balancer
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy