CVE-2026-47074
Improper Certificate Validation in ExAws SNS
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ex_aws | ex_aws_sns | From 2.0.1 (inc) to 2.3.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47074 is an Improper Certificate Validation vulnerability in the ex_aws_sns library, specifically in the ExAws.SNS and ExAws.SNS.PublicKeyCache modules. The vulnerability occurs because the verify_message/1 function fetches the signing certificate from the SigningCertURL field of an incoming SNS message without validating that the URL uses HTTPS or that the host belongs to an AWS-owned SNS certificate domain.
An unauthenticated attacker who can send a POST request to an endpoint that calls verify_message/1 can supply a malicious SigningCertURL pointing to a certificate they control. They can then sign a forged SNS message with their own key, causing the function to incorrectly verify the signature and return :ok, effectively bypassing SNS signature verification and allowing signature spoofing.
How can this vulnerability impact me? :
This vulnerability allows an attacker to spoof arbitrary SNS notifications by bypassing signature verification. This can lead to unauthorized actions such as hijacking topic subscriptions or disrupting legitimate subscriptions.
Because the attacker can forge messages that appear authentic, applications relying on ex_aws_sns for SNS message verification may process malicious or false notifications, potentially leading to data integrity issues, unauthorized operations, or denial of service.
The vulnerability requires no special privileges and can be exploited by anyone able to send POST requests to the vulnerable endpoint, making it a significant security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when an application exposes an HTTP endpoint that calls the verify_message/1 function on incoming SNS messages without properly validating the SigningCertURL field.
To detect this vulnerability on your system, you should check if your application uses the ex_aws_sns library versions from 2.0.1 up to but not including 2.3.5, and if it calls the verify_message/1 function on incoming SNS messages.
You can also monitor network traffic or logs for SNS messages where the SigningCertURL field points to non-AWS domains or uses HTTP instead of HTTPS, which indicates potential exploitation attempts.
Suggested commands include searching your codebase for usage of verify_message/1 and inspecting HTTP endpoints that receive SNS messages. For example, using grep:
- grep -r 'verify_message' ./
- grep -r 'SigningCertURL' ./
Additionally, you can capture and inspect HTTP POST requests to your SNS endpoints to verify the SigningCertURL values, using tools like tcpdump or Wireshark.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the ex_aws_sns library to version 2.3.5 or later, where the vulnerability has been patched.
The patch includes validation of the SigningCertURL to ensure it uses HTTPS and that the host matches an AWS-owned SNS certificate domain, preventing attackers from supplying malicious certificates.
If upgrading immediately is not possible, implement additional validation in your application to verify that the SigningCertURL field uses HTTPS and points only to trusted AWS SNS certificate domains before calling verify_message/1.
Review your HTTP endpoints that process SNS messages to ensure they do not accept messages with untrusted SigningCertURL values.
Monitor your system for suspicious SNS messages with unexpected SigningCertURL values and consider blocking or alerting on such messages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to bypass SNS signature verification by exploiting improper certificate validation, which can lead to signature spoofing and acceptance of forged SNS messages.
This compromise of message integrity could impact compliance with standards and regulations such as GDPR and HIPAA, which require ensuring data authenticity and integrity to protect sensitive information.
By allowing forged messages to be accepted as authentic, the vulnerability may lead to unauthorized data processing or disclosure, thereby violating regulatory requirements for data protection and security.