GHSA-r4w4-wv68-qv85

Source

https://github.com/advisories/GHSA-r4w4-wv68-qv85

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-r4w4-wv68-qv85/GHSA-r4w4-wv68-qv85.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r4w4-wv68-qv85

Aliases

CVE-2026-44308

Published

2026-05-07T00:06:52Z

Modified

2026-05-07T00:19:46.352714Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Details

Impact

Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.

An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages, causing the application to:

Process arbitrary payloads as if they were legitimate SNS notifications.
Auto-confirm subscriptions or unsubscribe from attacker-controlled topics.

Affected versions: 3.0.0 through 3.4.2, 4.0.0, and 4.0.1.

The 3.x line will not receive a fix; users on 3.x should apply the workaround below or upgrade to 4.0.2.

Patches

Fixed in Spring Cloud AWS 4.0.2. When using Spring Boot auto-configuration, signature verification is enabled by default. Users should upgrade to 4.0.2.

Workarounds

Manually verify the SNS message signature in a servlet filter or Spring HandlerInterceptor before the request reaches the controller, using SnsMessageManager from the AWS SDK v2 sns-message-manager module.

### Resources

AWS SNS: Verifying the signatures of Amazon SNS messages (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html)
AWS SDK for Java v2: SnsMessageManager (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html)
Fix PR: #1614

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-05-07T00:06:52Z",
    "nvd_published_at": null
}

References

Affected packages

Maven / io.awspring.cloud:spring-cloud-aws-sns

Package

Name: io.awspring.cloud:spring-cloud-aws-sns; View open source insights on deps.dev
Purl: pkg:maven/io.awspring.cloud/spring-cloud-aws-sns

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.2

Affected versions

4.*

4.0.0

4.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-r4w4-wv68-qv85/GHSA-r4w4-wv68-qv85.json"

Maven / io.awspring.cloud:spring-cloud-aws-sns

Package

Name: io.awspring.cloud:spring-cloud-aws-sns; View open source insights on deps.dev
Purl: pkg:maven/io.awspring.cloud/spring-cloud-aws-sns

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Last affected

3.4.2

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.1.1

3.2.0-M1

3.2.0

3.2.1

3.3.0-M1

3.3.0-RC1

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-r4w4-wv68-qv85/GHSA-r4w4-wv68-qv85.json"