Medium severity5.9NVD Advisory· Published Apr 24, 2026· Updated May 6, 2026

CVE-2026-6968

Description

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Affected products

Awslabs/Toughreferences
Amazon (company)/Tough
cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*
Range: >=0.9.0,<0.22.0
Amazon (company)/Tuftool
cpe:2.3:a:amazon:tuftool:*:*:*:*:*:rust:*:*
Range: <0.15.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

aws.amazon.com/security/security-bulletins/2026-019-aws/nvdVendor Advisory
github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vgnvdVendor Advisory
crates.io/crates/tough/0.22.0nvdProduct
crates.io/crates/tuftool/0.15.0nvdProduct
github.com/awslabs/tough/releases/tag/tough-v0.22.0nvdRelease Notes
github.com/awslabs/tough/releases/tag/tuftool-v0.15.0nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000