CVE-2026-6966 | AWS tough/tuftool 0.22.0/up to 0.21 signature verification (EUVD-2026-25627)

VDB-359566 · CVE-2026-6966 · EUVD-2026-25627 AWS TOUGH/TUFTOOL 0.22.0/UP TO 0.21 SIGNATURE VERIFICATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 4.1 $0-$5k 2.81+ Summaryinfo A vulnerability was found in AWS tough and tuftool and classified as problematic. This impacts an unknown function. Executing a manipulation can lead to signature verification. This vulnerability is handled as CVE-2026-6966. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component. Detailsinfo A vulnerability was found in AWS tough and tuftool. It has been declared as problematic. This vulnerability affects an unknown code. The manipulation with an unknown input leads to a signature verification vulnerability. The CWE definition for the vulnerability is CWE-347. The product does not verify, or incorrectly verifies, the cryptographic signature for data. As an impact it is known to affect integrity. CVE summarizes: Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0. The advisory is available at aws.amazon.com. This vulnerability was named CVE-2026-6966 since 04/24/2026. The exploitation appears to be difficult. The attack can be initiated remotely. The technical details are unknown and an exploit is not available. Upgrading to version tough-v0.22.0 eliminates this vulnerability. The upgrade is hosted for download at github.com. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-25627). Productinfo Vendor AWS Name tough tuftool Version 0.22.0 <=0.21 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 4.2 VulDB Meta Temp Score: 4.1 VulDB Base Score: 3.1 VulDB Temp Score: 3.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 5.3 CNA Vector (AMZN): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Signature verification CWE: CWE-347 / CWE-345 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: tough/tuftool tough-v0.22.0 Timelineinfo 04/24/2026 Advisory disclosed 04/24/2026 +0 days CVE reserved 04/24/2026 +0 days VulDB entry created 04/25/2026 +0 days VulDB entry last update Sourcesinfo Advisory: aws.amazon.com Status: Confirmed CVE: CVE-2026-6966 (🔒) GCVE (CVE): GCVE-0-2026-6966 GCVE (VulDB): GCVE-100-359566 EUVD: 🔒 Entryinfo Created: 04/24/2026 23:07 Updated: 04/25/2026 00:52 Changes: 04/24/2026 23:07 (40), 04/24/2026 23:08 (34), 04/25/2026 00:52 (2) Complete: 🔍 Cache ID: 99:521:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸