Spring Cloud AWS: Missing SNS message signature verification allows spoofing...

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.

Basic Information

ID CVE-2026-44308

Source GitHub_M

Published May 14, 2026 at 14:39

Affected Product

Vendor awspring

Product spring-cloud-aws

Version >= 3.0.0, < 4.0.2

Affected Versions awspring spring-cloud-aws >= 3.0.0, < 4.0.2
io.awspring.cloud spring-cloud-aws-sns >= 3.0.0, < 4.0.2

CWE Classification

CWE-345

References

github.com /awspring/spring-cloud-aws/security/advisories/GHSA-r4w4-wv68-qv85

{
    "lastseen": "",
    "description": "Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.",
    "published": "2026-05-14T14:39:18.227Z",
    "modified": "2026-05-14T14:39:18.227Z",
    "type": "cve",
    "title": "Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications",
    "source": "GitHub_M",
    "references": "https://github.com/awspring/spring-cloud-aws/security/advisories/GHSA-r4w4-wv68-qv85",
    "id": "CVE-2026-44308",
    "bulletinFamily": "",
    "cwe": [
        "CWE-345"
    ],
    "cvelist": null,
    "sourceData": "awspring spring-cloud-aws >= 3.0.0, < 4.0.2\nio.awspring.cloud spring-cloud-aws-sns >= 3.0.0, < 4.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "spring-cloud-aws",
    "version": ">= 3.0.0, < 4.0.2",
    "vendor": "awspring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications_CVE-2026-44308