CVE-2026-47074: ex_aws_sns SigningCertURL not validated in verify_message/1
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1. 'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification. This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
HarborGuard Analysis
HarborGuard analysisSynopsis
Improper certificate validation in the ex_aws_sns Elixir library (ExAws.SNS versions 2.0.1 through before 2.3.5) allows an unauthenticated attacker to completely bypass SNS message signature verification. The vulnerability is reachable over the network with no authentication required: any attacker who can send an HTTP POST to an endpoint calling verify_message/1 can supply a self-controlled SigningCertURL, sign a forged SNS message with their own private key, and receive a passing :ok result from the verification function. Successful exploitation lets an attacker inject arbitrary SNS-formatted messages as if they were legitimately signed by AWS, enabling full integrity bypass of the SNS notification pipeline. A patched-image rebuild at version 2.3.5 (or commit 1853d280b152d10384a1e21a22cf22152a60be48) is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-47074 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Elixir images that bundle ex_aws_sns. Images carrying any affected version of ex_aws_sns in the range 2.0.1 to before 2.3.5 are flagged automatically.
AvailableHarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and surfaces it with that severity weighting in each customer environment. Per-environment compliance policy rules are applied to route the finding to the appropriate team inbox, so the right owner sees the alert without manual filtering.
AvailableA patched-image rebuild pinned to ex_aws_sns 2.3.5 (commit 1853d280b152d10384a1e21a22cf22152a60be48) becomes available through HarborGuard as soon as the fix version is confirmed in the upstream package registry. For customers who have auto-remediation enabled, HarborGuard triggers a rebuild of the affected image, runs the configured regression test suite, and opens a pull request against any workload referencing the vulnerable version.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to send an HTTP POST request over the network to any endpoint in the target application that invokes verify_message/1.
- AuthenticationNot required
No account, session, or credential of any kind is needed; the attack is fully unauthenticated.
- Victim interactionNot required
No user or operator action is required; the attacker triggers the vulnerability entirely through their own network request.
- Attack complexityDetail
Exploitation is reliable and condition-free: the attacker simply supplies a crafted SigningCertURL and a self-signed message payload, with no race conditions or special environmental state required.
Blast Radius
- The attacker injects arbitrary forged SNS messages that the application accepts as legitimate, bypassing all trust placed in AWS SNS as a message source.
- Any business logic gated on verified SNS notifications (subscription confirmations, event triggers, payment callbacks, provisioning webhooks) can be driven by attacker-controlled payloads.
- Data written to downstream stores or queues as a result of processed SNS messages can be corrupted or manipulated by the forged content.
- Integrity of the entire SNS-integrated notification pipeline is lost for the duration the vulnerable version is in use.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing ex_aws_sns 2.0.1 through 2.3.4, covering both images pulled from public registries and custom-built Elixir images. A patched rebuild at version 2.3.5 is made available automatically once the fix is confirmed upstream. For customers with auto-remediation enabled, HarborGuard performs the image rebuild, executes the regression test suite, and opens a pull request targeting affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with remediation guidance. Until the patched image is deployed, consider restricting inbound HTTP access to any endpoint calling verify_message/1 via network policy, and validating at the application layer that incoming SigningCertURL values match known AWS SNS certificate domains as a temporary compensating control.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 1853d280b152d10384a1e21a22cf22152a60be48
- Affected Products
- 2
- ex-aws / ex_aws_sns< 2.3.5 (from 2.0.1)
- ex-aws / ex_aws_sns< 1853d280b152d10384a1e21a22cf22152a60be48 (from a7ec21880943f4dac1d59bda557db0ffcd2b61fa)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N