Cyber Resilience

CVE-2026-13763

High

Published: 29 June 2026

Published
29 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-13763 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Amazon Application Load Balancer. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only…

more

a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

Vuln enables remote bypass of WAF body inspection on public-facing ALB via HTTP/2 frame fragmentation (CWE-444), directly facilitating stealthy exploitation of the exposed application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-10264Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2332Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-54388Shared CWE-444
CVE-2026-28367Shared CWE-444
CVE-2026-8646Shared CWE-444
CVE-2026-50052Shared CWE-444

Affected Assets

amazon
application load balancer
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References