CVE-2026-6966

Analyzed Analyzed - Analysis Complete

BaseFortify

Publication date: 2026-04-24

Last updated on: 2026-05-06

Assigner: AMZN

Description

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-24

Last Modified

2026-05-06

Generated

2026-05-07

EPSS Evaluated

2026-05-05

NVD

CVE-2026-6966

EUVD

EUVD-2026-25627

Affected Vendors & Products

Vendor	Product	Version / Range
amazon	tough	to 0.22.0 (exc)
amazon	tuftool	to 0.15.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-347	The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-6966

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

Ask Our AI Assistant

EPSS Chart