Signature Verification Flaw in Tough by AWS Labs
CVE-2026-6966

7HIGH

Key Information:

Vendor

Aws

Status
Tough
Tuftool
Vendor
CVE Published:
24 April 2026

What is CVE-2026-6966?

A flaw in Tough by AWS Labs allows remote authenticated users to bypass the signature threshold requirement of the TUF (The Update Framework) by duplicating an existing valid cryptographic signature. This can lead to the acceptance of forged delegated role metadata, undermining the security of signed updates. Users are strongly encouraged to upgrade to tough version 0.22.0 or tuftool version 0.15.0 to mitigate the risks associated with this vulnerability.

Affected Version(s)

tough 0.22.0

tuftool 0.15.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/awslabs/tough/releases/tag/tough-v0.22.0
patch
https://github.com/awslabs/tough/releases/tag/tuftool-v0....
patch

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.