The vulnerability CVE-2026-6967 in AWS tough (before version 0.22.0) involves insufficient verification of data authenticity (CWE-345) in delegated metadata validation. Specifically, missing expiration, hash, and length enforcement in delegated metadata allows remote authenticated users with delegated signing authority to bypass The Update Framework (TUF) specification integrity checks for delegated targets metadata. This can lead to poisoning of the local metadata cache because the load_delegations function does not enforce the same validation checks as the top-level targets metadata path. The vulnerability has a CVSS 3.1 score of 5.9 (medium severity) with network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact. AWS manages this as a cloud service and recommends upgrading to tough-v0.22.0 or tuftool-v0.15.0 to remediate the issue.

An attacker with delegated signing authority can bypass integrity checks on delegated targets metadata, potentially poisoning the local metadata cache. This compromises the integrity of the metadata used by the system, which could lead to trust violations in software update processes. There is no confidentiality impact reported, and availability impact is low. The vulnerability requires network access and low privileges but has high attack complexity.

A patch is available. AWS recommends upgrading to tough version 0.22.0 or tuftool version 0.15.0 to fix this vulnerability. Since this is a cloud service, AWS manages remediation on their side; users should verify they are using updated versions as per the AWS advisory at https://aws.amazon.com/security/security-bulletins/2026-019-aws/. Patch status is confirmed by the vendor advisory.