PT-2026-44365 · Unknown · Ex Aws Sns

Bernard Duggan

+1

·

Published

2026-05-26

·

Updated

2026-06-26

·

CVE-2026-47074

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions ex aws sns versions 2.0.1 through 2.3.4
Description Improper Certificate Validation in the ExAws.SNS and ExAws.SNS.PublicKeyCache modules allows for signature spoofing. The function verify message() fetches the signing certificate from the SigningCertURL field of an incoming SNS message without verifying that the URL uses HTTPS or that the host belongs to an AWS-owned SNS certificate domain. An unauthenticated attacker can provide a controlled SigningCertURL and sign a forged SNS message with their own key, causing the function to return :ok and bypassing signature verification. This occurs when the application exposes an HTTP endpoint that calls verify message() on incoming request bodies.
Recommendations Update ex aws sns to version 2.3.5.

Exploit

Fix

Resource Exhaustion

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47074
GHSA-76V6-F83Q-PXVH
GHSA-8JGF-23Q5-X7XX
GHSA-JQ4M-Q6P2-8GWC

Affected Products

Ex Aws Sns