Skip to main content

AWS Tough CVE-2026-6966

| EUVDEUVD-2026-25627 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-04-24 AMZN GHSA-8m7c-8m39-rv4x
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 24, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 20:32 vuln.today
Severity Changed
Apr 24, 2026 - 20:22 NVD
MEDIUM HIGH
CVSS changed
Apr 24, 2026 - 20:22 NVD
5.3 (MEDIUM) 7.0 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 20:15 euvd
EUVD-2026-25627
Analysis Generated
Apr 24, 2026 - 20:15 vuln.today
Patch released
Apr 24, 2026 - 20:15 nvd
Patch available
CVE Published
Apr 24, 2026 - 19:38 nvd
HIGH 7.0

DescriptionCVE.org

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

AnalysisAI

Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.

Technical ContextAI

AWS Tough implements The Update Framework (TUF), a security framework for software update systems requiring threshold signatures (N-of-M valid signatures) on repository metadata to prevent tampering. TUF delegated roles allow repository owners to distribute signing authority across multiple keys. CWE-347 (Improper Verification of Cryptographic Signature) manifests here as a signature uniqueness validation failure - the client counts duplicate copies of the same signature toward the threshold requirement rather than enforcing N distinct valid signatures. For example, a 3-of-5 threshold could be satisfied with one valid signature duplicated three times instead of three independent signatures. This affects cpe:2.3:a:aws:tough:*:*:*:*:*:*:*:* (versions prior to 0.22.0) and cpe:2.3:a:aws:tuftool:*:*:*:*:*:*:*:* (versions prior to 0.15.0), the Rust-based TUF client library and tooling published to crates.io and maintained by AWS Labs.

RemediationAI

Upgrade to tough-v0.22.0 or tuftool-v0.15.0 immediately. For Rust projects using Cargo, update Cargo.toml dependencies to tough = "0.22.0" or tuftool = "0.15.0" and run cargo update. Patched releases available at https://github.com/awslabs/tough/releases/tag/tough-v0.22.0, https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0, and published to crates.io (https://crates.io/crates/tough/0.22.0, https://crates.io/crates/tuftool/0.15.0). No workarounds exist - the vulnerability is in core signature validation logic. If immediate upgrade is not feasible, implement compensating controls by restricting network access to TUF repository clients to trusted networks only, enforcing strict key management for all delegated role signing keys (treat compromise of any single key as critical incident), and implementing out-of-band verification of critical metadata updates until patching is complete. Note that restricting access reduces attack surface but does not eliminate risk from authenticated insiders or compromised credentials. Review recent metadata updates accepted by vulnerable client versions for anomalies such as unexpected role delegations or package additions.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-6966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy