Signature Verification Flaw in AWS Tough <0.22.0 (go)
CVE-2026-6966 Published on April 24, 2026
Signature Threshold Bypass in awslabs/tough Delegated Roles
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.
We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Vulnerability Analysis
CVE-2026-6966 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Products Associated with CVE-2026-6966
stack.watch emails you whenever new vulnerabilities are published in Amazon Tough or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS tough:- Version 0.22.0 is unaffected.
- Version 0.15.0 is unaffected.