Improper Verification of Cryptographic Signature in tough - CVE-2026-6966
Published: April 25, 2026
Vulnerability identifier: #VU127901
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-6966
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Amazon Web Services
Affected software:
tough
tough
Detailed vulnerability description
The vulnerability allows a remote user to bypass the signature threshold requirement and cause the client to accept forged delegated role metadata.
The vulnerability exists due to improper verification of cryptographic signature uniqueness in delegated role validation when processing delegated role metadata signatures. A remote user can duplicate a valid signature to bypass the signature threshold requirement and cause the client to accept forged delegated role metadata.
Exploitation requires access to a valid signing key.
How to mitigate CVE-2026-6966
Install security update from vendor's website.