GHSA-9jjc-h3c2-fw2vHighCVSS 9.8

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might...

Published
June 29, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.

This issue was remediated server-side. No customer action is required.

🔗 References (3)