CVE-2026-6966 - Vulnerability Details

- Signature Threshold Bypass in awslabs/tough Delegated Roles

Description

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Published: 2026-04-24

Score: 7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the awslabs/tough library stems from improper enforcement of cryptographic signature uniqueness during delegated‑role validation. An attacker who has authenticated access can simply duplicate a valid signature until the required threshold is met, causing the client to accept forged delegation metadata. This flaw is a CWE‑347 weakness in signature handling and could let an attacker manipulate role assignments or inject malicious metadata, leading to unauthorized actions.

Affected Systems

Affected are AWS’s tough library and its companion tuftool. All releases prior to tough‑v0.22.0 and tuftool‑v0.15.0 are vulnerable, covering the Rust crates and any applications that depend on them.

Risk and Exploitability

The CVSS score of 7 reflects high severity, but the EPSS score of less than 1% indicates that exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to the TUF client and must craft duplicate signatures; if successful, the client will blindly accept the forged role metadata and may be misled into trusting malicious updates.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AWS

tough

unaffected

Version	Status	Constraints
`0.22.0`	unaffected	—

AWS

tuftool

unaffected

Version	Status	Constraints
`0.15.0`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:amazon:tough::::::rust::*
	cpe:2.3:a:amazon:tuftool::::::rust::*

No data.

Vendor Product Confidence Versions

Aws

Tough

100%

Version	Status	Scheme	Platform
`0.22.0`	unaffected	semver	—

Aws

Tuftool

100%

Version	Status	Scheme	Platform
`0.15.0`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the tough library to version 0.22.0 and a compatible tuftool to 0.15.0 as recommended by AWS.
If an immediate upgrade is not feasible, deploy a custom check that verifies the uniqueness of each signature in delegated role metadata before the client processes it, rejecting any duplicate signatures.
After upgrading or applying the interim check, audit existing TUF metadata for duplicate signatures and revoke any compromised delegated roles to restore a trusted state.

Generated by OpenCVE AI on April 28, 2026 at 05:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8m7c-8m39-rv4x	awslabs/tough Delegated Roles have a Signature Threshold Bypass

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-019-aws/
https://crates.io/crates/tough/0.22.0
https://crates.io/crates/tuftool/0.15.0
https://github.com/awslabs/tough/releases/tag/tough-v0.22.0
https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0
https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x

History

Wed, 06 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon tough Amazon tuftool
CPEs		cpe:2.3:a:amazon:tough::::::rust::* cpe:2.3:a:amazon:tuftool::::::rust::*
Vendors & Products		Amazon Amazon tough Amazon tuftool

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws Aws tough Aws tuftool
Vendors & Products		Aws Aws tough Aws tuftool

Fri, 24 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x

Fri, 24 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Title		Signature Threshold Bypass in awslabs/tough Delegated Roles
Weaknesses		CWE-347
References		https://aws.amazon.com/security/security-bulletins/2026-019-aws/ https://crates.io/crates/tough/0.22.0 https://crates.io/crates/tuftool/0.15.0 https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}` cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}`

Subscriptions

Amazon Tough Tuftool

Aws Tough Tuftool

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-04-24T19:38:24.907Z

Updated: 2026-04-24T20:15:28.842Z

Reserved: 2026-04-24T16:15:44.932Z

Link: CVE-2026-6966

Vulnrichment

Updated: 2026-04-24T20:15:15.302Z

NVD

Status : Analyzed

Published: 2026-04-24T20:16:28.883

Modified: 2026-05-06T15:24:56.720

Link: CVE-2026-6966

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T09:17:50Z

Weaknesses

CWE-347

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object