Description
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Published: 2026-01-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of TUF metadata
Action: Patch
AI Analysis

Impact

The vulnerability in go-tuf allows a compromised or misconfigured TUF repository to set the signature verification threshold to zero, effectively disabling all integrity checks. This bypass creates a condition where any attacker who can alter the metadata or has control over the repository can inject malicious or incorrect information without detection. The most significant impact is the loss of trust in the update framework, potentially leading to malicious updates or replay attacks. The flaw is rooted in improper validation of a configuration value, classified as CWE-347.

Affected Systems

The Update Framework’s go-tuf library, version 2.0.0 through 2.3.0, is affected. The product is thego-tuf implementation provided by theupdateframework. Any project or system that incorporates these vulnerable library versions is at risk until the library is updated or the configuration is corrected.

Risk and Exploitability

With a CVSS score of 5.9 and an EPSS score below 1%, the technical severity is moderate and the exploitation probability is currently low. The vulnerability is not in the CISA KEV catalog. The likely attack vector is a compromised or deliberately misconfigured TUF repository where an adversary can set the signature threshold to zero, thereby disabling signature verification for all roles. Once this threshold is disabled, the attacker can modify metadata files at rest or during transit, leading to unauthorized updates or compromised integrity of software distributions.

Generated by OpenCVE AI on April 18, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2.3.1 of go-tuf or later to fix the validation flaw.
  • If upgrading immediately is not feasible, configure all TUF metadata role thresholds to be at least 1 to prevent signature verification from being disabled.
  • Verify the repository configuration and monitor for any unauthorized changes to metadata to ensure integrity is maintained.

Generated by OpenCVE AI on April 18, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fphv-w9fq-2525 go-tuf improperly validates the configured threshold for delegations
History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Theupdateframework
Theupdateframework go-tuf
Vendors & Products Theupdateframework
Theupdateframework go-tuf

Thu, 22 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Title go-tuf improperly validates the configured threshold for delegations
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Theupdateframework Go-tuf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T15:21:21.301Z

Reserved: 2026-01-19T18:49:20.657Z

Link: CVE-2026-23992

cve-icon Vulnrichment

Updated: 2026-01-22T15:21:16.820Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:47.470

Modified: 2026-02-17T16:02:19.330

Link: CVE-2026-23992

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T02:20:06Z

Links: CVE-2026-23992 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses