CVE-2026-6967

Published
View on NVD ↗
CVSS v3
5.9
MEDIUM
CVSS v2
N/A
Affected
3
PROJECTS

Description

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

awslabs/tough
awslabs/tough
Rust libraries and tools for using and generating TUF repositories
GitHubGitHub
224
tough
tough
The Update Framework (TUF) repository client
Crates.ioCrates.io
1.67M
tuftool
tuftool
Utility for creating and signing The Update Framework (TUF) repositories
Crates.ioCrates.io
412K