CVE-2026-13763
🟠 Łataj w tym tygodniu
Nieprawidłowa interpretacja żądań HTTP/2 w AWS ALB umożliwia obejście inspekcji WAF.
CVSS
9.8
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 20:17:33 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 20:17:33 UTC |
Referencje
- https://aws.amazon.com/security/security-bulletins/2026-048-aws/ (ff89ba41-3aa1-4d27-914a-91399e9639e5)
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection (ff89ba41-3aa1-4d27-914a-91399e9639e5)