{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6966", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-04-24T16:15:44.932Z", "datePublished": "2026-04-24T19:38:24.907Z", "dateUpdated": "2026-04-24T20:15:28.842Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:12.012Z"}, "title": "Signature Threshold Bypass in awslabs/tough Delegated Roles", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-475", "descriptions": [{"lang": "en", "value": "CAPEC-475: Signature Spoofing by Misrepresentation"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T20:15:12.033311Z", "id": "CVE-2026-6966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:15:28.842Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T20:15:12.033311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:15:15.302Z"}}], "cna": {"title": "Signature Threshold Bypass in awslabs/tough Delegated Roles", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-475", "descriptions": [{"lang": "en", "value": "CAPEC-475: Signature Spoofing by Misrepresentation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:12.012Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6966", "state": "PUBLISHED", "dateUpdated": "2026-04-24T20:15:28.842Z", "dateReserved": "2026-04-24T16:15:44.932Z", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "datePublished": "2026-04-24T19:38:24.907Z", "assignerShortName": "AMZN"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "matchCriteriaId": "B861C5C6-71EB-48B0-B55E-71BBF56DF2BF", "versionEndExcluding": "0.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:tuftool:*:*:*:*:*:rust:*:*", "matchCriteriaId": "E83215AA-4B4B-44C1-A062-B7212CF33EF5", "versionEndExcluding": "0.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."}], "id": "CVE-2026-6966", "lastModified": "2026-05-06T15:24:56.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-04-24T20:16:28.883", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tough/0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tuftool/0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.22.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tough", "source": "cna", "vendor": "AWS"}, "product": "tough", "vendor": "aws"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.15.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tuftool", "source": "cna", "vendor": "AWS"}, "product": "tuftool", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-28T05:48:07.969631+00:00", "value": {"mitigation_remediation": ["Upgrade the tough library to version 0.22.0 and a compatible tuftool to 0.15.0 as recommended by AWS.", "If an immediate upgrade is not feasible, deploy a custom check that verifies the uniqueness of each signature in delegated role metadata before the client processes it, rejecting any duplicate signatures.", "After upgrading or applying the interim check, audit existing TUF metadata for duplicate signatures and revoke any compromised delegated roles to restore a trusted state."], "summary": {"action": "Patch", "impact": "Bypassing the TUF signature threshold allows an authenticated user to forge delegated role metadata, potentially compromising the trust chain."}, "threat_synthesis": {"affected_systems": "Affected are AWS\u2019s tough library and its companion tuftool. All releases prior to tough\u2011v0.22.0 and tuftool\u2011v0.15.0 are vulnerable, covering the Rust crates and any applications that depend on them.\n\n", "description_and_impact": "The vulnerability in the awslabs/tough library stems from improper enforcement of cryptographic signature uniqueness during delegated\u2011role validation. An attacker who has authenticated access can simply duplicate a valid signature until the required threshold is met, causing the client to accept forged delegation metadata. This flaw is a CWE\u2011347 weakness in signature handling and could let an attacker manipulate role assignments or inject malicious metadata, leading to unauthorized actions.\n\n", "risk_and_exploitability": "The CVSS score of 7 reflects high severity, but the EPSS score of less than 1% indicates that exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to the TUF client and must craft duplicate signatures; if successful, the client will blindly accept the forged role metadata and may be misled into trusting malicious updates."}}}}, "created": "2026-04-28T06:00:09.584418+00:00", "updated": "2026-04-28T09:17:50.739088+00:00", "vendors": ["aws", "aws$PRODUCT$tough", "aws$PRODUCT$tuftool"]}