CVE-2026-44308— Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44308
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| awspring | spring-cloud-aws | >= 3.0.0, < 4.0.2 | - | |
| io.awspring.cloud | spring-cloud-aws-sns | >= 3.0.0, < 4.0.2 | - |
II. Public POCs for CVE-2026-44308
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44308
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-345
- CVE-2026-44999
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated C - CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-42206
Roadiz OpenID Connect nonce generated but never validated — - CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig
V. Comments for CVE-2026-44308
No comments yet