CVE-2026-44308: Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications
Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.
An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages, causing the application to:
- Process arbitrary payloads as if they were legitimate SNS notifications.
- Auto-confirm subscriptions or unsubscribe from attacker-controlled topics.
Affected versions: 3.0.0 through 3.4.2, 4.0.0, and 4.0.1.
The 3.x line will not receive a fix; users on 3.x should apply the workaround below or upgrade to 4.0.2.
References
- github.com/advisories/GHSA-r4w4-wv68-qv85
- github.com/awspring/spring-cloud-aws
- github.com/awspring/spring-cloud-aws/commit/6ab2efd97891a3d0ed0126ffa1ce223c9cfa9638
- github.com/awspring/spring-cloud-aws/pull/1614
- github.com/awspring/spring-cloud-aws/security/advisories/GHSA-r4w4-wv68-qv85
- nvd.nist.gov/vuln/detail/CVE-2026-44308
Code Behaviors & Features
Detect and mitigate CVE-2026-44308 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →