{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6967", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-04-24T16:15:46.781Z", "datePublished": "2026-04-24T19:41:43.460Z", "dateUpdated": "2026-04-24T20:13:20.016Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:27.098Z"}, "title": "Missing Delegated Metadata Validation in awslabs/tough", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141: Cache Poisoning"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T20:13:04.619106Z", "id": "CVE-2026-6967", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:13:20.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6967", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T20:13:04.619106Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:13:08.897Z"}}], "cna": {"title": "Missing Delegated Metadata Validation in awslabs/tough", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141: Cache Poisoning"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:27.098Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6967", "state": "PUBLISHED", "dateUpdated": "2026-04-24T20:13:20.016Z", "dateReserved": "2026-04-24T16:15:46.781Z", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "datePublished": "2026-04-24T19:41:43.460Z", "assignerShortName": "AMZN"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "matchCriteriaId": "51AC1B2A-ACBA-4ABE-9A31-1132436EEF0F", "versionEndExcluding": "0.22.0", "versionStartIncluding": "0.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:tuftool:*:*:*:*:*:rust:*:*", "matchCriteriaId": "E83215AA-4B4B-44C1-A062-B7212CF33EF5", "versionEndExcluding": "0.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."}], "id": "CVE-2026-6967", "lastModified": "2026-05-06T15:32:38.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-04-24T20:16:29.020", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tough/0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tuftool/0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.22.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tough", "source": "cna", "vendor": "AWS"}, "product": "tough", "vendor": "aws"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.15.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tuftool", "source": "cna", "vendor": "AWS"}, "product": "tuftool", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-28T05:46:46.521815+00:00", "value": {"mitigation_remediation": ["Update tough and tuftool packages to the patched releases v0.22.0 and v0.15.0", "Re\u2011build or refresh the local metadata cache to remove any potentially poisoned entries", "Configure the system to enforce expiration, hash, or length validation on all delegated metadata, using available tooling or custom checks"], "summary": {"action": "Immediate Patch", "impact": "Integrity Compromise"}, "threat_synthesis": {"affected_systems": "Affects the AWS: tough and AWS: tuftool packages for all versions earlier than tough\u2011v0.22.0 and tuftool\u2011v0.15.0. Any deployment that relies on these tools to download or validate software updates from a TUF repository is vulnerable.", "description_and_impact": "A flaw in the delegated metadata validation in awslabs/tough before version 0.22.0 allows an attacker who is a remote authenticated user with delegated signing authority to bypass TUF specification integrity checks. Because the load_delegations routine does not enforce expiration, hash, or length checks, the attacker can poison the local metadata cache with forged metadata. This violates the integrity guarantees expected from TUF and is classified as a CWE\u2011345 weakness.", "risk_and_exploitability": "The CVSS score of 7.1 indicates high severity. The EPSS score is below 1%, suggesting a very low probability that the vulnerability is actively exploited in the wild. The condition requires the attacker to be an authenticated user with delegated signing authority, so the risk is limited to those with such privileges and to environments that trust delegated metadata without additional safeguards. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-04-28T06:00:09.583433+00:00", "updated": "2026-04-28T09:17:49.562885+00:00", "vendors": ["aws", "aws$PRODUCT$tough", "aws$PRODUCT$tuftool"]}