Path Traversal Vulnerability in Tough by AWS Labs
CVE-2026-6968

7.1HIGH

Key Information:

Vendor

Aws

Status
Tough
Tuftool
Vendor
CVE Published:
24 April 2026

What is CVE-2026-6968?

In a recent assessment of the Tough library by AWS Labs, a vulnerability has been identified that allows remote authenticated users with delegated signing authority to exploit incomplete path traversal protections. This weakness enables the manipulation of file paths, which can lead to unauthorized file writing outside designated output directories. The issue primarily resides in the reliance on destination path concatenation for validation, lacking a robust containment verification post-resolution. As a result, absolute target names, symlinked parent directories, and specially crafted metadata filenames can facilitate this exploitation. Users are strongly advised to upgrade to Tough v0.22.0 and Tuftool v0.15.0 to mitigate risks associated with this vulnerability.

Affected Version(s)

tough 0.22.0

tuftool 0.15.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/awslabs/tough/releases/tag/tough-v0.22.0
patch
https://github.com/awslabs/tough/releases/tag/tuftool-v0....
patch

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.