Insufficient verification of data authenticity in tough - CVE-2026-6967
Published: April 25, 2026
Vulnerability identifier: #VU127900
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-6967
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Amazon Web Services
Affected software:
tough
tough
Detailed vulnerability description
The vulnerability allows a remote user to bypass integrity checks for delegated targets metadata and poison the local metadata cache.
The vulnerability exists due to improper metadata validation in delegated metadata validation in load_delegations when processing delegated targets metadata. A remote user can serve expired or otherwise invalid delegated targets metadata to bypass integrity checks for delegated targets metadata and poison the local metadata cache.
Exploitation requires delegated signing authority or write access to the metadata.
How to mitigate CVE-2026-6967
Install security update from vendor's website.