AWS Tough v<0.22.0 Path Traversal via Absolute Target Names
CVE-2026-6968 Published on April 24, 2026
Multiple Path Traversal Variants in awslabs/tough
Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.
We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Vulnerability Analysis
CVE-2026-6968 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and a small impact on availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-6968 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-6968
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS tough:- Version 0.22.0 is unaffected.
- Version 0.15.0 is unaffected.