Skip to main content

AWS Tough EUVDEUVD-2026-25629

| CVE-2026-6968 HIGH
Path Traversal (CWE-22)
2026-04-24 AMZN
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 24, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 20:32 vuln.today
Severity Changed
Apr 24, 2026 - 20:22 NVD
MEDIUM HIGH
CVSS changed
Apr 24, 2026 - 20:22 NVD
5.9 (MEDIUM) 7.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 20:15 euvd
EUVD-2026-25629
Analysis Generated
Apr 24, 2026 - 20:15 vuln.today
Patch released
Apr 24, 2026 - 20:15 nvd
Patch available
CVE Published
Apr 24, 2026 - 19:44 nvd
HIGH 7.1

DescriptionCVE.org

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

AnalysisAI

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

Technical ContextAI

AWS Tough is a Rust implementation of The Update Framework (TUF), a security framework for software update systems that uses cryptographic signatures and role-based delegation. TUF clients download metadata and target files from repositories while verifying signatures from delegated roles. The vulnerability stems from classic TOCTOU (time-of-check-time-of-use) race conditions in file operations: the code validates that a destination path is within allowed boundaries before symlink resolution, but then writes to the resolved path without re-validating containment. This affects three distinct operations: copy_target and link_target accept absolute paths in target names that bypass relative path validation; save_target follows symlinked parent directories after initial validation; and SignedRole::write trusts symlinked metadata filenames. The root cause maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), specifically the variant where symbolic link resolution occurs after boundary checks. The description notes these are 'incomplete path traversal fixes,' indicating prior CVEs addressed similar issues but missed these attack vectors, suggesting the codebase had partial mitigations that failed under specific conditions.

RemediationAI

Upgrade to AWS Tough 0.22.0 or later and AWS Tuftool 0.15.0 or later, available from GitHub releases (https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 and https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0) and crates.io (https://crates.io/crates/tough/0.22.0 and https://crates.io/crates/tuftool/0.15.0). The patches implement post-resolution path containment checks that verify destination paths remain within intended directories after symlink resolution. If immediate patching is not feasible, implement compensating controls: restrict delegated signing authority to minimal necessary roles and principals, audit existing delegated role credentials and revoke unnecessary permissions, run TUF repository operations in isolated containers with read-only filesystem mounts outside target directories to limit traversal impact, and monitor file write operations for unexpected paths outside repository boundaries using filesystem audit tools like auditd or osquery (noting this adds operational overhead and may not prevent exploitation, only detect it). Review TUF repository metadata for unauthorized modifications if delegated signers had access during the vulnerability window. These workarounds reduce attack surface but do not eliminate the vulnerability - prioritize vendor-released patches.

Share

EUVD-2026-25629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy