CVE-2026-47074

ex_aws_sns SigningCertURL not validated in verify_message/1

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-295 — CWE-295 Improper Certificate Validation

CAPEC

• CAPEC-473 — CAPEC-473 Signature Spoofing by Improper Validation

CVSS 4.0 Score

8.7

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.

Affected

pkg:hex/ex_aws_sns

Module	Source File	Routine
ExAws.SNS	lib/ex_aws/sns.ex	ExAws.SNS.verify_message/1
ExAws.SNS.PublicKeyCache	lib/ex_aws/sns/public_key_cache.ex	ExAws.SNS.PublicKeyCache.get/1

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	2.0.1	< 2.3.5

pkg:github/ex-aws/ex_aws_sns

Module	Source File	Routine
ExAws.SNS	lib/ex_aws/sns.ex	ExAws.SNS.verify_message/1
ExAws.SNS.PublicKeyCache	lib/ex_aws/sns/public_key_cache.ex	ExAws.SNS.PublicKeyCache.get/1

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	a7ec218809	< 1853d280b1

Configurations

The application must expose an HTTP endpoint that calls 'Elixir.ExAws.SNS':verify_message/1 on incoming request bodies.

References

• https://github.com/ex-aws/ex_aws_sns/security/advisories/GHSA-8jgf-23q5-x7xx vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-47074 related
• https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48 patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Bernard Duggan
• Remediation developer: Jonatan Männchen / EEF
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-47074.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-47074.json