VYPR
High severityNVD Advisory· Published May 28, 2026· Updated May 29, 2026

CVE-2026-47074

CVE-2026-47074

Description

Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Ex AWS/Ex AWS Snsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: >=2.0.1 <2.3.5

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.