Skip to main content

AWS tough CVE-2026-6967

| EUVDEUVD-2026-25628 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-04-24 AMZN GHSA-4v58-8p28-2rq3
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 24, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 20:32 vuln.today
Severity Changed
Apr 24, 2026 - 20:22 NVD
MEDIUM HIGH
CVSS changed
Apr 24, 2026 - 20:22 NVD
5.9 (MEDIUM) 7.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 20:15 euvd
EUVD-2026-25628
Analysis Generated
Apr 24, 2026 - 20:15 vuln.today
Patch released
Apr 24, 2026 - 20:15 nvd
Patch available
CVE Published
Apr 24, 2026 - 19:41 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 cargo packages depend on tough (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.9.0.

DescriptionCVE.org

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

AnalysisAI

Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.

Technical ContextAI

The Update Framework (TUF) is a framework for securing software update systems, used by AWS for package distribution and artifact signing. Tough is AWS Labs' Rust implementation of a TUF client library (cpe:2.3:a:aws:tough). TUF relies on a delegation chain where top-level metadata signs delegated targets metadata, with each layer subject to integrity checks including signature verification, expiration timestamps, content hashes, and length constraints per the specification. This vulnerability (CWE-345: Insufficient Verification of Data Authenticity) occurs in the load_delegations function, which processes delegated targets metadata but fails to enforce the same validation rules applied to top-level metadata. The missing checks allow delegated signers-who possess valid signing keys for their delegation scope-to craft metadata that violates TUF integrity constraints (expired timestamps, mismatched hashes, incorrect lengths) without detection. This breaks the defense-in-depth model where each metadata layer should independently validate its delegated content.

RemediationAI

Upgrade to tough-v0.22.0 or later and tuftool-v0.15.0 or later as recommended by AWS in security bulletin 2026-019-aws. Patched releases available at https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 and https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0, with crates published to https://crates.io/crates/tough/0.22.0 and https://crates.io/crates/tuftool/0.15.0. Organizations unable to upgrade immediately should audit their TUF delegation chains to ensure all delegated signers are trusted and implement enhanced monitoring for metadata anomalies (expired timestamps, hash mismatches in logs). As a temporary compensating control, consider removing or limiting delegation depth in TUF repositories, which reduces attack surface by eliminating the vulnerable code path entirely, though this may impact operational flexibility for teams relying on delegation for distributed signing workflows. Note that this workaround prevents use of delegated targets metadata feature until patching is completed.

Share

CVE-2026-6967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy