CVE-2026-13763 – AWS Application Load Balancer

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“A security control only works when it sees the whole request.”

AWS has addressed a critical vulnerability in AWS Application Load Balancer (ALB) affecting HTTP/2 target groups when AWS WAF is enabled. The issue could allow a remote attacker to bypass AWS WAF managed rule body inspection by sending specially crafted HTTP/2 requests that fragment the request body across multiple frames, resulting in only part of the body being inspected.

CVE-2026-13763 has a CVSS score of 9.8, which is Critical severity. No verified real-world exploitation or public proof-of-concept is confirmed. AWS recommends enabling the "Inspect after sufficient data" target group configuration for affected ALB deployments to ensure complete request body inspection before AWS WAF evaluates the traffic.

Key Details

Affected Product
Amazon Application Load Balancer
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-444
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.