CVE-2026-44308

Source
https://cve.org/CVERecord?id=CVE-2026-44308
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44308.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44308
Aliases
Downstream
Published
2026-05-14T14:39:18.227Z
Modified
2026-07-15T01:49:09.965607882Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications
Details

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-345"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44308.json"
}
References

Affected packages

Git / github.com/awspring/spring-cloud-aws

Affected ranges

Type
GIT
Repo
https://github.com/awspring/spring-cloud-aws
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "4.0.2"
        }
    ]
}

Affected versions

v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.2.0
v3.2.0-M1
v3.3.0
v3.3.0-M1
v3.3.0-RC1
v3.4.0
v4.*
v4.0.0
v4.0.0-M1
v4.0.0-RC1
v4.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44308.json"