CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13763

criticalCVSS 9.8covered by 2 sourcesfirst seen 2026-06-29
Bulletin ID: 2026-048-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/29/2026 11:15 PM PDT Description: AWS WAF is a web application firewall that monitors the HTTP(S) requests that are forwarded to your protected web application resources. We identified CVE-2026-13762 and CVE-2026-13763, which are issues affecting HTTP/2 multi-frame request body inspection by AWS WAF. CVE-2026-13762 affects AWS WAF deployment with CloudFront. This issue was remediated server-side; no customer action is required. CVE-2026-13763 affects AWS WAF deployment with AWS Application Load Balancer (ALB). Under certain conditions, a crafted multi-frame HTTP/2 request could cause only a partial request body to be inspected. This issue has been addressed on ALB, and customers can ensure full protection by configuring how AWS WAF inspects HTTP/2 request bodies on their ALB. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Issues with HTTP/2 multi-frame request body inspection in AWS WAF could lead to incomplete request body processing.
Who is affected
AWS WAF deployments with Application Load Balancer (ALB) are affected.
Urgency
Remediation is important to ensure full protection against crafted requests.
Action
Configure AWS WAF to properly inspect HTTP/2 request bodies on ALB.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-13763

Get an email if CVE-2026-13763 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-13763

CVE.org record

Embed the live status

CVE-2026-13763 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13763 status](https://www.csirts.com/badge/CVE-2026-13763)](https://www.csirts.com/cve/CVE-2026-13763)