PT-2026-38403 · Maven · Io.Awspring.Cloud:Spring-Cloud-Aws-Sns
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-44308
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Impact
Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.
An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages, causing the application to:
- Process arbitrary payloads as if they were legitimate SNS notifications.
- Auto-confirm subscriptions or unsubscribe from attacker-controlled topics.
Affected versions: 3.0.0 through 3.4.2, 4.0.0, and 4.0.1.
The 3.x line will not receive a fix; users on 3.x should apply the workaround below or upgrade to 4.0.2.
Patches
Fixed in Spring Cloud AWS 4.0.2. When using Spring Boot auto-configuration, signature verification is enabled by default. Users should upgrade to 4.0.2.
Workarounds
Manually verify the SNS message signature in a servlet filter or Spring HandlerInterceptor before the request reaches the controller, using SnsMessageManager from the AWS SDK v2 sns-message-manager module.
Resources
- AWS SNS: Verifying the signatures of Amazon SNS messages (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html)
- AWS SDK for Java v2: SnsMessageManager (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html)
- Fix PR: #1614
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Io.Awspring.Cloud:Spring-Cloud-Aws-Sns