HIGH SeverityCVSS 4.07.0CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

CVE-2026-6966

Last updated Apr 24, 2026 · Published Apr 24, 2026

Description

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Affected products

1 listed

AWS:tough; AWS:tuftool

Mappings

CWE

CWE-347

CAPEC

CAPEC-475

Guides

JWT Security Best PracticesWhat to validate, rotate, and avoid in real systems.
Secure Webhook VerificationSignature validation, replay protection, and idempotency.
Webhook Replay Attack ProtectionTime windows, nonces, and storage strategies.

Training

Data Protection and EncryptionEncryption at rest, in transit, and the practical choices developers actually make.