PT-2026-53691 · Aws · Amazon Aws Cloudfront

Published

2026-06-29

Updated

2026-06-29

CVE-2026-13762

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.

This issue was remediated server-side. No customer action is required.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2026-13762

Affected Products

Amazon Aws Cloudfront

PT-2026-53691 · Aws · Amazon Aws Cloudfront

CVE-2026-13762

Weakness Enumeration

Related Identifiers

Affected Products

References · 2