PT-2026-44365 · Unknown · Ex Aws Sns
Bernard Duggan
+1
·
Published
2026-05-26
·
Updated
2026-06-26
·
CVE-2026-47074
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ex aws sns versions 2.0.1 through 2.3.4
Description
Improper Certificate Validation in the
ExAws.SNS and ExAws.SNS.PublicKeyCache modules allows for signature spoofing. The function verify message() fetches the signing certificate from the SigningCertURL field of an incoming SNS message without verifying that the URL uses HTTPS or that the host belongs to an AWS-owned SNS certificate domain. An unauthenticated attacker can provide a controlled SigningCertURL and sign a forged SNS message with their own key, causing the function to return :ok and bypassing signature verification. This occurs when the application exposes an HTTP endpoint that calls verify message() on incoming request bodies.Recommendations
Update ex aws sns to version 2.3.5.
Exploit
Fix
Resource Exhaustion
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ex Aws Sns