Which versions of ex_aws_sns are affected by CVE-2026-47074?

The Elixir ex_aws_sns library (versions 2.0.1-2.3.4) contains a critical signature verification bypass that allows unauthenticated attackers to forge AWS SNS messages that pass validation checks.. A patch is available.

How to fix or mitigate CVE-2026-47074?

24 hours: Audit infrastructure to identify all Elixir applications using ex_aws_sns and determine installed versions. 7 days: Upgrade all instances to ex_aws_sns 2.3.5 or later via dependency management (update mix.exs and deploy). 30 days: Verify all deployments are running patched versions, test SNS message verification functionality in staging, and review logs for any abnormal SNS message patterns during the vulnerability exposure window.

ex_aws_sns CVE-2026-47074

Q: What is the CVSS score of CVE-2026-47074?

CVE-2026-47074 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-32861 HIGH

Improper Certificate Validation (CWE-295)

2026-05-28 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

Authentication Bypass

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 28, 2026 - 12:31 EUVD

Source Code Evidence Fetched

May 28, 2026 - 10:30 vuln.today

Analysis Generated

May 28, 2026 - 10:30 vuln.today

DescriptionNVD

Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.

AnalysisAI

SNS signature verification bypass in the Elixir ex_aws_sns library (versions 2.0.1 through 2.3.4) allows remote unauthenticated attackers to forge messages that pass ExAws.SNS.verify_message/1 checks. The verify_message/1 routine fetched the signing certificate from the attacker-supplied SigningCertURL field without restricting the scheme to HTTPS or the host to an AWS SNS certificate domain, so an attacker can host their own certificate, sign a forged payload, and have verification return :ok. …

RemediationAI

24 hours: Audit infrastructure to identify all Elixir applications using ex_aws_sns and determine installed versions. 7 days: Upgrade all instances to ex_aws_sns 2.3.5 or later via dependency management (update mix.exs and deploy). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-47074 vulnerability details – vuln.today

Back

ex_aws_sns CVE-2026-47074

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

ex_aws_sns CVE-2026-47074

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code