PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47074 ex-aws CVE debrief

## Summary CVE-2026-47074 is a HIGH-severity (CVSS 8.7) Improper Certificate Validation vulnerability in the Elixir library ex_aws_sns, affecting versions 2.0.1 through 2.3.4. The vulnerability resides in the `verify_message/1` function and its supporting `PublicKeyCache` module, which fail to validate that the `SigningCertURL` field in incoming SNS messages uses HTTPS or originates from an AWS-owned domain. An unauthenticated attacker can exploit this by supplying a malicious certificate URL, signing a forged SNS message with their own key, and achieving complete signature verification bypass. ## Technical Details The vulnerable code paths are: - `lib/ex_aws/sns.ex` – specifically `'Elixir.ExAws.SNS':verify_message/1` - `lib/ex_aws/sns/public_key_cache.ex` – specifically `'Elixir.ExAws.SNS.PublicKeyCache':get/1` The `verify_message/1` function retrieves the signing certificate directly from the user-controlled `SigningCertURL` field without: 1. Enforcing HTTPS scheme validation 2. Validating that the host matches an AWS-owned SNS certificate domain (e.g., `sns.*.amazonaws.com`) This allows an attacker to host a self-signed certificate at an attacker-controlled URL, craft a malicious SNS message signed with the corresponding private key, and have the application accept it as legitimate. The vulnerability is classified under CWE-295 (Improper Certificate Validation). ## Affected Versions - **Affected:** ex_aws_sns versions 2.0.1 through 2.3.4 - **Fixed:** ex_aws_sns version 2.3.5 ## Impact Successful exploitation allows an unauthenticated attacker to: - Completely bypass SNS message signature verification - Spoof arbitrary SNS notifications to application endpoints - Potentially trigger unauthorized actions in applications relying on SNS message authenticity ## Recommended Actions 1. **Immediate Patching:** Upgrade ex_aws_sns to version 2.3.5 or later, which contains the fix in commit `1853d280b152d10384a1e21a22cf22152a60be48`. 2. **Verification:** After upgrading, verify that your application correctly rejects SNS messages with invalid or non-AWS certificate URLs. 3. **Network Controls:** As a defense-in-depth measure, implement network-level URL

Vendor
ex-aws
Product
ex_aws_sns
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations using ex_aws_sns versions 2.0.1-2.3.4 to process AWS SNS messages in Elixir/Phoenix applications, particularly those exposing SNS webhook endpoints that trigger security-sensitive operations.

Technical summary

The ex_aws_sns library's `verify_message/1` function fetches signing certificates from user-supplied URLs without validating HTTPS usage or AWS domain ownership, enabling complete SNS signature verification bypass via attacker-controlled certificates.

Defensive priority

critical

Recommended defensive actions

  • Upgrade ex_aws_sns to version 2.3.5 or later
  • Verify SNS message signature validation behavior post-upgrade
  • Implement network-level egress filtering to restrict certificate URL fetching to known AWS domains
  • Review application logs for suspicious SNS message patterns prior to patching

Evidence notes

Vulnerability description and affected versions confirmed via NVD entry and Erlef CNA advisory. Fix commit and GitHub Security Advisory provide technical confirmation of the validation bypass. CVSS 4.0 vector and score sourced from NVD.

Official resources

2026-05-28