CVE-2026-44308

MEDIUM

Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Title source: cna

Description

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/awspring/spring-cloud-aws/security/advisories/GHSA-r4w4-wv68-qv85

Scores

CVSS v4 6.3

EPSS 0.0018

EPSS Percentile 7.6%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-345

Status published

Products (4)

awspring/spring-cloud-aws >= 3.0.0, < 4.0.2

io.awspring.cloud/spring-cloud-aws-sns 3.0.0 - 3.4.2Maven

io.awspring.cloud/spring-cloud-aws-sns 4.0.0 - 4.0.2Maven

io.awspring.cloud/spring-cloud-aws-sns >= 3.0.0, < 4.0.2

Published May 14, 2026

Tracked Since May 14, 2026