Skip to main content

ex_aws_sns CVE-2026-47074

| EUVDEUVD-2026-32861 HIGH
Improper Certificate Validation (CWE-295)
2026-05-28 6b3ad84c-e1a6-4bf7-a703-f496b71e49db GHSA-jq4m-q6p2-8gwc GHSA-8jgf-23q5-x7xx
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 12:31 EUVD
Source Code Evidence Fetched
May 28, 2026 - 10:30 vuln.today
Analysis Generated
May 28, 2026 - 10:30 vuln.today

DescriptionCVE.org

Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.

AnalysisAI

SNS signature verification bypass in the Elixir ex_aws_sns library (versions 2.0.1 through 2.3.4) allows remote unauthenticated attackers to forge messages that pass ExAws.SNS.verify_message/1 checks. The verify_message/1 routine fetched the signing certificate from the attacker-supplied SigningCertURL field without restricting the scheme to HTTPS or the host to an AWS SNS certificate domain, so an attacker can host their own certificate, sign a forged payload, and have verification return :ok. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the upstream fix is published on GitHub (commit 1853d28) and shipped in 2.3.5.

Technical ContextAI

ex_aws_sns is a community Elixir client for Amazon Simple Notification Service built on the ExAws ecosystem. Amazon SNS authenticates push notifications to HTTP/HTTPS subscribers by signing the message with an RSA key whose certificate is published at a SigningCertURL field within the message itself; subscribers are expected to fetch that certificate, validate it chains to AWS and is served from an AWS-controlled host (e.g. sns.<region>.amazonaws.com), and only then verify the signature. The vulnerable implementation in lib/ex_aws/sns.ex and lib/ex_aws/sns/public_key_cache.ex trusted the SigningCertURL value as-is - no HTTPS enforcement, no hostname pinning, and no certificate chain validation - which is the canonical CWE-295 (Improper Certificate Validation) failure mode. The patch introduces a new ExAws.SNS.CertUtility module that pins the expected SNS hostname (sns.amazonaws.com), walks the Authority Information Access (AIA) extension up to a max chain depth, validates the message Timestamp against the certificate's notBefore/notAfter, and additionally adds SHA-256 (SignatureVersion 2) support.

RemediationAI

Vendor-released patch: upgrade ex_aws_sns to 2.3.5 or later, which adds AWS hostname pinning, AIA-based certificate chain validation, timestamp-vs-certificate-validity checks, and SignatureVersion 2 (SHA-256) support per commit 1853d280b152d10384a1e21a22cf22152a60be48 (https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48). Update mix.exs to {:ex_aws_sns, "~> 2.3.5"} and run mix deps.update ex_aws_sns. Until the upgrade ships, a workable compensating control is to wrap verify_message/1 with your own guard that rejects any SNS message whose SigningCertURL is not HTTPS and whose host does not match the regex ^sns\.[a-z0-9-]+\.amazonaws\.com$ - this is what the patch does and is safe for legitimate AWS traffic; the side effect is that custom test fixtures pointing at localhost or LocalStack will need a separate code path. Alternatively, restrict the SNS webhook endpoint via WAF/IP allowlist to AWS SNS publish ranges, accepting that AWS ranges change frequently and require automation to track. Review the GHSA-8jgf-23q5-x7xx advisory for the authoritative mitigation guidance.

Share

CVE-2026-47074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy