CVE-2026-6968 - Vulnerability Details

- Multiple Path Traversal Variants in awslabs/tough

Description

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Published: 2026-04-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Awslabs/tough suffered from incomplete path traversal protection. The flaw permits remote authenticated users that have delegated signing authority to write files outside designated output directories by supplying absolute target names in copy_target, link_target, or symlinked parents in save_target, as well as symlinked metadata filenames in SignedRole::write. This unchecked path resolution allows an attacker to overwrite files outside the intended directories, impacting confidentiality and integrity.

Affected Systems

Affected products are the AWS tough and tuftool libraries. Versions prior to tough‑v0.22.0 and tuftool‑v0.15.0 are vulnerable. Administrators should verify that the currently deployed binaries are older than these releases.

Risk and Exploitability

With a CVSS of 7.1 the vulnerability is considered moderate to high risk, but the EPSS is below 1 % and the issue is not in the CISA KEV catalog, indicating a low current exploitation rate. Attackers need a legitimate signed request that includes the vulnerable path parameters; no local code execution is required. The flaw is therefore constrained to users who have delegated signing rights, but once an attacker gains that capability the write permission enables destructive actions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AWS

tough

unaffected

Version	Status	Constraints
`0.22.0`	unaffected	—

AWS

tuftool

unaffected

Version	Status	Constraints
`0.15.0`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:amazon:tough::::::rust::*
	cpe:2.3:a:amazon:tuftool::::::rust::*

No data.

Vendor Product Confidence Versions

Aws

Tough

100%

Version	Status	Scheme	Platform
`0.22.0`	unaffected	semver	—

Aws

Tuftool

100%

Version	Status	Scheme	Platform
`0.15.0`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Replace all installations of aws tough and tuftool with the vendor‑released v0.22.0 and v0.15.0 releases or later.
After patching, review IAM policies to confirm that only trusted principals receive delegated signing rights.
Validate that all file‑path arguments provided to tough or tuftool are resolved to be within the intended directories and reject any absolute or symlinked paths.

Generated by OpenCVE AI on April 28, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00079.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-019-aws/
https://crates.io/crates/tough/0.22.0
https://crates.io/crates/tuftool/0.15.0
https://github.com/awslabs/tough/releases/tag/tough-v0.22.0
https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0
https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg

History

Wed, 06 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon tough Amazon tuftool
CPEs		cpe:2.3:a:amazon:tough::::::rust::* cpe:2.3:a:amazon:tuftool::::::rust::*
Vendors & Products		Amazon Amazon tough Amazon tuftool

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws Aws tough Aws tuftool
Vendors & Products		Aws Aws tough Aws tuftool

Fri, 24 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg

Fri, 24 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Title		Multiple Path Traversal Variants in awslabs/tough
Weaknesses		CWE-22
References		https://aws.amazon.com/security/security-bulletins/2026-019-aws/ https://crates.io/crates/tough/0.22.0 https://crates.io/crates/tuftool/0.15.0 https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}` cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L'}`

Subscriptions

Amazon Tough Tuftool

Aws Tough Tuftool

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-04-24T19:44:44.835Z

Updated: 2026-04-24T20:10:00.800Z

Reserved: 2026-04-24T16:15:48.228Z

Link: CVE-2026-6968

Vulnrichment

Updated: 2026-04-24T20:09:42.942Z

NVD

Status : Analyzed

Published: 2026-04-24T20:16:29.170

Modified: 2026-05-06T15:36:48.853

Link: CVE-2026-6968

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object