{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6968", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-04-24T16:15:48.228Z", "datePublished": "2026-04-24T19:44:44.835Z", "dateUpdated": "2026-04-24T20:10:00.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:42.176Z"}, "title": "Multiple Path Traversal Variants in awslabs/tough", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126: Path Traversal"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T20:09:33.745527Z", "id": "CVE-2026-6968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:10:00.800Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6968", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-04-24T16:15:48.228Z", "datePublished": "2026-04-24T19:44:44.835Z", "dateUpdated": "2026-04-24T20:10:00.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-24T19:59:42.176Z"}, "title": "Multiple Path Traversal Variants in awslabs/tough", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126: Path Traversal"}]}], "affected": [{"vendor": "AWS", "product": "tough", "versions": [{"status": "unaffected", "version": "0.22.0"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "tuftool", "versions": [{"status": "unaffected", "version": "0.15.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.</p><p>We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.</p>"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tough/0.22.0", "tags": ["patch"]}, {"url": "https://crates.io/crates/tuftool/0.15.0", "tags": ["patch"]}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T20:09:33.745527Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:09:42.942Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "matchCriteriaId": "51AC1B2A-ACBA-4ABE-9A31-1132436EEF0F", "versionEndExcluding": "0.22.0", "versionStartIncluding": "0.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:tuftool:*:*:*:*:*:rust:*:*", "matchCriteriaId": "E83215AA-4B4B-44C1-A062-B7212CF33EF5", "versionEndExcluding": "0.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."}], "id": "CVE-2026-6968", "lastModified": "2026-05-06T15:36:48.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-04-24T20:16:29.170", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tough/0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Product"], "url": "https://crates.io/crates/tuftool/0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.22.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tough", "source": "cna", "vendor": "AWS"}, "product": "tough", "vendor": "aws"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.15.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tuftool", "source": "cna", "vendor": "AWS"}, "product": "tuftool", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-28T20:00:10.341308+00:00", "value": {"mitigation_remediation": ["Replace all installations of aws tough and tuftool with the vendor\u2011released v0.22.0 and v0.15.0 releases or later.", "After patching, review IAM policies to confirm that only trusted principals receive delegated signing rights.", "Validate that all file\u2011path arguments provided to tough or tuftool are resolved to be within the intended directories and reject any absolute or symlinked paths."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file write via directory traversal"}, "threat_synthesis": {"affected_systems": "Affected products are the AWS tough and tuftool libraries. Versions prior to tough\u2011v0.22.0 and tuftool\u2011v0.15.0 are vulnerable. Administrators should verify that the currently deployed binaries are older than these releases.", "description_and_impact": "Awslabs/tough suffered from incomplete path traversal protection. The flaw permits remote authenticated users that have delegated signing authority to write files outside designated output directories by supplying absolute target names in copy_target, link_target, or symlinked parents in save_target, as well as symlinked metadata filenames in SignedRole::write. This unchecked path resolution allows an attacker to overwrite files outside the intended directories, impacting confidentiality and integrity.", "risk_and_exploitability": "With a CVSS of 7.1 the vulnerability is considered moderate to high risk, but the EPSS is below 1\u202f% and the issue is not in the CISA KEV catalog, indicating a low current exploitation rate. Attackers need a legitimate signed request that includes the vulnerable path parameters; no local code execution is required. The flaw is therefore constrained to users who have delegated signing rights, but once an attacker gains that capability the write permission enables destructive actions."}}}}, "created": "2026-04-28T09:17:48.306801+00:00", "updated": "2026-04-28T20:00:19.931349+00:00", "vendors": ["aws", "aws$PRODUCT$tough", "aws$PRODUCT$tuftool"]}