CVE-2026-6966

Published
View on NVD ↗
CVSS v3
5.3
MEDIUM
CVSS v2
N/A
Affected
3
PROJECTS

Description

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

awslabs/tough
awslabs/tough
Rust libraries and tools for using and generating TUF repositories
GitHubGitHub
224
tough
tough
The Update Framework (TUF) repository client
Crates.ioCrates.io
1.67M
tuftool
tuftool
Utility for creating and signing The Update Framework (TUF) repositories
Crates.ioCrates.io
412K