SB20260425204 - Multiple vulnerabilities in tough
Published: April 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-6968)
The vulnerability allows a remote user to write files outside intended output directories.
The vulnerability exists due to path traversal in copy_target, link_target, save_target, and SignedRole::write when processing repository-controlled target names, parent directories, and metadata filenames. A remote user can supply crafted repository metadata and target paths to write files outside intended output directories.
Exploitation requires delegated signing authority in the remote repository.
2) Insufficient verification of data authenticity (CVE-ID: CVE-2026-6967)
The vulnerability allows a remote user to bypass integrity checks for delegated targets metadata and poison the local metadata cache.
The vulnerability exists due to improper metadata validation in delegated metadata validation in load_delegations when processing delegated targets metadata. A remote user can serve expired or otherwise invalid delegated targets metadata to bypass integrity checks for delegated targets metadata and poison the local metadata cache.
Exploitation requires delegated signing authority or write access to the metadata.
3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-6966)
The vulnerability allows a remote user to bypass the signature threshold requirement and cause the client to accept forged delegated role metadata.
The vulnerability exists due to improper verification of cryptographic signature uniqueness in delegated role validation when processing delegated role metadata signatures. A remote user can duplicate a valid signature to bypass the signature threshold requirement and cause the client to accept forged delegated role metadata.
Exploitation requires access to a valid signing key.
Remediation
Install update from vendor's website.
References
- https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg
- https://github.com/advisories/GHSA-v57p-gppj-p9vg
- https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3
- https://github.com/advisories/GHSA-4v58-8p28-2rq3
- https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x
- https://github.com/advisories/GHSA-8m7c-8m39-rv4x