The vulnerability CVE-2026-6967 in AWS tough (prior to v0.22.0) involves insufficient verification of data authenticity (CWE-345) in delegated metadata validation. Specifically, missing expiration, hash, and length enforcement in delegated metadata allows remote authenticated users with delegated signing authority to bypass The Update Framework (TUF) specification integrity checks for delegated targets metadata. This can lead to poisoning of the local metadata cache because the load_delegations function does not apply the same rigorous validation checks as the top-level targets metadata path. The vulnerability has a CVSS 3.1 base score of 5.9 (medium severity) with network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact. AWS manages this as a cloud service and recommends upgrading to tough-v0.22.0 or tuftool-v0.15.0 to mitigate the issue.

An attacker with delegated signing authority can bypass integrity checks on delegated targets metadata, allowing them to poison the local metadata cache. This compromises the integrity of the metadata used by AWS tough, potentially leading to the acceptance of malicious or tampered metadata. There is no impact on confidentiality, and availability impact is low. The attack requires network access and low privileges but has high attack complexity.

A patch is available. AWS recommends upgrading to tough version 0.22.0 or tuftool version 0.15.0 to address this vulnerability. Since this is a cloud service, AWS manages remediation server-side; users should verify they are using updated versions or check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-019-aws/ for current guidance.