Missing Authentication for Critical Function Affecting io.awspring.cloud:spring-cloud-aws-sns package, versions [,4.0.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.18% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-IOAWSPRINGCLOUD-16799818
  • published22 May 2026
  • disclosed7 May 2026
  • creditUnknown

Introduced: 7 May 2026

CVE-2026-44308  (opens in a new tab)
CWE-306  (opens in a new tab)

How to fix?

Upgrade io.awspring.cloud:spring-cloud-aws-sns to version 4.0.2 or higher.

Overview

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the SNS HTTP/HTTPS notification endpoints due to missing signature verification. An attacker can cause the application to process arbitrary payloads as legitimate notifications, auto-confirm subscriptions, or unsubscribe from attacker-controlled topics by sending crafted HTTP POST requests to the endpoint.

Workaround

This vulnerability can be mitigated by manually verifying the SNS message signature in a servlet filter or Spring HandlerInterceptor before the request reaches the controller, using SnsMessageManager from the AWS SDK v2 sns-message-manager module.

CVSS Base Scores

version 4.0
version 3.1