CVE-2026-47074
Deferred Deferred - Pending Action
Improper Certificate Validation in ExAws SNS

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: EEF

Description
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1. 'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification. This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47074
EUVD
EUVD-2026-32861
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ex_aws ex_aws_sns From 2.0.1 (inc) to 2.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47074 is an Improper Certificate Validation vulnerability in the ex_aws_sns library, specifically in the ExAws.SNS and ExAws.SNS.PublicKeyCache modules. The vulnerability occurs because the verify_message/1 function fetches the signing certificate from the SigningCertURL field of an incoming SNS message without validating that the URL uses HTTPS or that the host belongs to an AWS-owned SNS certificate domain.

An unauthenticated attacker who can send a POST request to an endpoint that calls verify_message/1 can supply a malicious SigningCertURL pointing to a certificate they control. They can then sign a forged SNS message with their own key, causing the function to incorrectly verify the signature and return :ok, effectively bypassing SNS signature verification and allowing signature spoofing.

Impact Analysis

This vulnerability allows an attacker to spoof arbitrary SNS notifications by bypassing signature verification. This can lead to unauthorized actions such as hijacking topic subscriptions or disrupting legitimate subscriptions.

Because the attacker can forge messages that appear authentic, applications relying on ex_aws_sns for SNS message verification may process malicious or false notifications, potentially leading to data integrity issues, unauthorized operations, or denial of service.

The vulnerability requires no special privileges and can be exploited by anyone able to send POST requests to the vulnerable endpoint, making it a significant security risk.

Detection Guidance

This vulnerability arises when an application exposes an HTTP endpoint that calls the verify_message/1 function on incoming SNS messages without properly validating the SigningCertURL field.

To detect this vulnerability on your system, you should check if your application uses the ex_aws_sns library versions from 2.0.1 up to but not including 2.3.5, and if it calls the verify_message/1 function on incoming SNS messages.

You can also monitor network traffic or logs for SNS messages where the SigningCertURL field points to non-AWS domains or uses HTTP instead of HTTPS, which indicates potential exploitation attempts.

Suggested commands include searching your codebase for usage of verify_message/1 and inspecting HTTP endpoints that receive SNS messages. For example, using grep:

  • grep -r 'verify_message' ./
  • grep -r 'SigningCertURL' ./

Additionally, you can capture and inspect HTTP POST requests to your SNS endpoints to verify the SigningCertURL values, using tools like tcpdump or Wireshark.

Mitigation Strategies

The primary mitigation is to upgrade the ex_aws_sns library to version 2.3.5 or later, where the vulnerability has been patched.

The patch includes validation of the SigningCertURL to ensure it uses HTTPS and that the host matches an AWS-owned SNS certificate domain, preventing attackers from supplying malicious certificates.

If upgrading immediately is not possible, implement additional validation in your application to verify that the SigningCertURL field uses HTTPS and points only to trusted AWS SNS certificate domains before calling verify_message/1.

Review your HTTP endpoints that process SNS messages to ensure they do not accept messages with untrusted SigningCertURL values.

Monitor your system for suspicious SNS messages with unexpected SigningCertURL values and consider blocking or alerting on such messages.

Compliance Impact

The vulnerability allows an unauthenticated attacker to bypass SNS signature verification by exploiting improper certificate validation, which can lead to signature spoofing and acceptance of forged SNS messages.

This compromise of message integrity could impact compliance with standards and regulations such as GDPR and HIPAA, which require ensuring data authenticity and integrity to protect sensitive information.

By allowing forged messages to be accepted as authentic, the vulnerability may lead to unauthorized data processing or disclosure, thereby violating regulatory requirements for data protection and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart