🟠 High | Source: AWS Security Bulletins
Two vulnerabilities (CVE-2026-13762 and CVE-2026-13763) were identified in AWS WAF’s handling of HTTP/2 multi-frame request bodies, potentially allowing crafted requests to bypass inspection. The CloudFront variant has been fully remediated server-side with no customer action needed, but the Application Load Balancer variant requires customers to explicitly configure how AWS WAF inspects HTTP/2 request bodies to ensure complete protection. Left unaddressed, the ALB issue could allow malicious payloads to pass through WAF rules undetected.
Security Architect’s Take: Review all AWS WAF deployments fronting ALBs and explicitly configure the HTTP/2 request body inspection setting — do not assume default behaviour provides full coverage. Prioritise any internet-facing ALBs where WAF rules are a primary control against injection or payload-based attacks.
Original advisory: CVE-2026-13762 and CVE-2026-13763 - Issue with HTTP/2 multi-frame request body inspection in AWS WAF