Description
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the ExAws.SNS module fetching the signing certificate from the SigningCertURL field of an incoming SNS message without verifying that the URL uses HTTPS or that the host belongs to an AWS-owned SNS domain. An attacker who can POST to any endpoint that calls ExAws.SNS:verify_message/1 can supply a forged SigningCertURL pointing to a certificate they control, sign a counterfeit SNS message with their own key, and cause the function to return :ok. This bypasses the intended signature verification and allows the attacker to have arbitrary messages accepted by the application, effectively spoofing AWS SNS notifications and potentially triggering unintended actions.

Affected Systems

The affected product is ex-aws ex_aws_sns, spanning all releases from version 2.0.1 up through any release before 2.3.5. No other vendors or product variants are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity flaw with significant impact on confidentiality, integrity, and availability. The EPSS score is not available, which leaves the exact exploit probability uncertain, but the flaw is exploitable by any unauthenticated actor who can post to a verified endpoint, making the attack path relatively straightforward. The vulnerability is not listed in CISA's KEV catalog, yet the high severity and lack of host validation support a strong likelihood of real-world exploitation if left unaddressed.

Generated by OpenCVE AI on May 28, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ex_aws_sns library to version 2.3.5 or later, which implements proper SigningCertURL validation.
  • If upgrading is not immediately possible, patch the application code that calls verify_message/1 to validate that the SigningCertURL uses HTTPS and that its host matches an AWS SNS certificate domain before proceeding with verification.
  • Replace or isolate the ExAws.SNS verification logic with a custom implementation that performs explicit TLS hostname checking and certificate chain verification.
  • Restrict endpoints that invoke verify_message to authenticated users or trusted networks to reduce the attack surface.

Generated by OpenCVE AI on May 28, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1. 'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification. This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
Title ex_aws_sns SigningCertURL not validated in verify_message/1
First Time appeared Ex Aws Sns Project
Ex Aws Sns Project ex Aws Sns
Weaknesses CWE-295
CPEs cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:*
Vendors & Products Ex Aws Sns Project
Ex Aws Sns Project ex Aws Sns
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ex Aws Sns Project Ex Aws Sns
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-29T04:40:43.232Z

Reserved: 2026-05-18T17:28:08.322Z

Link: CVE-2026-47074

cve-icon Vulnrichment

Updated: 2026-05-28T10:31:09.474Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T10:16:39.800

Modified: 2026-05-29T15:29:42.387

Link: CVE-2026-47074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:48:36Z

Weaknesses