CVE-2026-13763 – AWS Application Load Balancer
“A security control only works when it sees the whole request.”
AWS has addressed a critical vulnerability in AWS Application Load Balancer (ALB) affecting HTTP/2 target groups when AWS WAF is enabled. The issue could allow a remote attacker to bypass AWS WAF managed rule body inspection by sending specially crafted HTTP/2 requests that fragment the request body across multiple frames, resulting in only part of the body being inspected.
CVE-2026-13763 has a CVSS score of 9.8, which is Critical severity. No verified real-world exploitation or public proof-of-concept is confirmed. AWS recommends enabling the "Inspect after sufficient data" target group configuration for affected ALB deployments to ensure complete request body inspection before AWS WAF evaluates the traffic.
Key Details
- Affected Product
- Amazon Application Load Balancer
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-444