Cyber Resilience

CVE-2026-13762

High

Published: 29 June 2026

Published
29 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-13762 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Amazon Cloudfront. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial…

more

body is inspected. This issue was remediated server-side. No customer action is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1687 Exploitation for Defense Impairment Defense Impairment
Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity.
Why these techniques?

HTTP/2 WAF bypass via request fragmentation directly enables exploitation of public-facing CloudFront apps (T1190) and impairs defensive inspection (T1687).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2833Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2332Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-54388Shared CWE-444
CVE-2026-28367Shared CWE-444
CVE-2026-8646Shared CWE-444
CVE-2026-50052Shared CWE-444
CVE-2026-42581Shared CWE-444

Affected Assets

amazon
cloudfront
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References