tough <0.22.0: Missing Exp/Hash/Len in Delegated Metadata (CVE-2026-6967)
CVE-2026-6967 Published on April 24, 2026
Missing Delegated Metadata Validation in awslabs/tough
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.
We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Vulnerability Analysis
CVE-2026-6967 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and a small impact on availability.
Weakness Type
Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Products Associated with CVE-2026-6967
stack.watch emails you whenever new vulnerabilities are published in Amazon Tough or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS tough:- Version 0.22.0 is unaffected.
- Version 0.15.0 is unaffected.