CVE-2026-44308

Name of the Vulnerable Software and Affected Versions Spring Cloud AWS versions 3.0.0 through 4.0.1

Description Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support via @NotificationMessageMapping, @NotificationSubscriptionMapping, or @NotificationUnsubscribeConfirmationMapping do not verify the signature of incoming SNS messages. An unauthenticated attacker with knowledge of the endpoint URL can send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This allows the attacker to force the application to process arbitrary payloads as legitimate notifications or auto-confirm subscriptions and unsubscribe from attacker-controlled topics.

Recommendations Versions 3.0.0 through 4.0.1: Upgrade to version 4.0.2. Versions 3.0.0 through 3.4.2: Manually verify the SNS message signature in a servlet filter or Spring HandlerInterceptor using SnsMessageManager before the request reaches the controller.