Skip to main content

Spring Cloud AWS SNS EUVDEUVD-2026-30302

| CVE-2026-44308 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-07 https://github.com/awspring/spring-cloud-aws GHSA-r4w4-wv68-qv85
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 14, 2026 - 15:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
May 07, 2026 - 00:32 vuln.today
Analysis Generated
May 07, 2026 - 00:32 vuln.today
CVE Published
May 07, 2026 - 00:06 nvd
MEDIUM

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 maven packages depend on io.awspring.cloud:spring-cloud-aws-sns (6 direct, 5 indirect)

Ecosystem-wide dependent count for version 4.0.0.

DescriptionGitHub Advisory

Impact

Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.

An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages, causing the application to:

  • Process arbitrary payloads as if they were legitimate SNS notifications.
  • Auto-confirm subscriptions or unsubscribe from attacker-controlled topics.

Affected versions: 3.0.0 through 3.4.2, 4.0.0, and 4.0.1.

The 3.x line will not receive a fix; users on 3.x should apply the workaround below or upgrade to 4.0.2.

Patches

Fixed in Spring Cloud AWS 4.0.2. When using Spring Boot auto-configuration, signature verification is enabled by default. Users should upgrade to 4.0.2.

Workarounds

Manually verify the SNS message signature in a servlet filter or Spring HandlerInterceptor before the request reaches the controller, using SnsMessageManager from the AWS SDK v2 sns-message-manager module.

Resources

  • AWS SNS: Verifying the signatures of Amazon SNS messages (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html)
  • AWS SDK for Java v2: SnsMessageManager (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html)
  • Fix PR: #1614

AnalysisAI

Spring Cloud AWS SNS HTTP/HTTPS endpoint handlers (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) in versions 3.0.0-3.4.2, 4.0.0, and 4.0.1 fail to verify the cryptographic signature of incoming SNS messages, allowing unauthenticated attackers who know the endpoint URL to send forged SNS notifications, subscription confirmations, or unsubscribe requests. This enables attackers to trigger arbitrary message processing, auto-confirm malicious topic subscriptions, or force unsubscription from legitimate topics. Fixed in Spring Cloud AWS 4.0.2 with signature verification enabled by default; 3.x line receives no patch and must use workarounds.

Technical ContextAI

Amazon SNS (Simple Notification Service) signs all outgoing messages using RSA-SHA256 signatures included in the SigningCertURL, MessageId, and Signature HTTP headers. Spring Cloud AWS provides Spring annotations to bind SNS HTTP POST requests directly to Java methods without requiring manual request parsing. The vulnerable code path uses the AWS SDK v2 SnsMessageManager class only for conditional message type detection, not for cryptographic verification. The fix introduces SnsMessageManager throughout the handler resolution chain to validate the RSA signature before unmarshalling the JSON payload. CWE-345 (Insufficient Verification of Data Authenticity) classifies the root cause: accepting external input (SNS message JSON) without cryptographic proof of origin. The Maven package io.awspring.cloud:spring-cloud-aws-sns is the affected artifact.

RemediationAI

Upgrade Spring Cloud AWS to version 4.0.2 or later immediately if using 4.0.0 or 4.0.1; the fix enables signature verification by default via the spring.cloud.aws.sns.verification configuration property (defaults to true). For users unable to immediately upgrade from 3.x, implement manual SNS message signature verification in a Spring HandlerInterceptor or servlet filter *before* the request reaches the @NotificationMessageMapping controller method, using the SnsMessageManager class from the AWS SDK v2 sns-message-manager module (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html). This workaround trade-off: adds complexity and latency to every SNS request but eliminates the forgery risk without upgrading. After upgrade, signature verification is on by default; disable only if absolutely necessary via spring.cloud.aws.sns.verification=false, though this negates the fix and is not recommended. Consult AWS SNS documentation on signature verification (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html) for implementation details. Fix PR #1614 (https://github.com/awspring/spring-cloud-aws/pull/1614) demonstrates the exact integration pattern.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-30302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy