Improper Certificate Validation in ExAws SNS by ExAws
CVE-2026-47074

8.7HIGH

Key Information:

Vendor: Ex-aws
Status: Ex Aws Sns
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-47074?

The ExAws SNS module contains an improper certificate validation vulnerability that can allow an unauthenticated attacker to perform signature spoofing. Specifically, the issue arises from the 'verify_message/1' function, which retrieves a signing certificate from the 'SigningCertURL' field of incoming SNS messages without ensuring the URL is secure or originates from a legitimate AWS domain. This oversight can let an attacker supply a malicious SigningCertURL, resulting in the acceptance of forged SNS messages. The affected versions include ex_aws_sns from 2.0.1 to just below 2.3.5.

Affected Version(s)

ex_aws_sns 2.0.1 < 2.3.5

ex_aws_sns a7ec21880943f4dac1d59bda557db0ffcd2b61fa < 1853d280b152d10384a1e21a22cf22152a60be48

References

https://github.com/ex-aws/ex_aws_sns/security/advisories/...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47074.html

https://osv.dev/vulnerability/EEF-CVE-2026-47074

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Bernard Duggan

Jonatan Männchen / EEF

CVE-2026-47074 Data

JSON

Ex-aws

What is CVE-2026-47074?

Affected Version(s)

References

CVSS V4

Timeline

Credit