Go-Tuf · Go-Tuf · CVE-2026-23992
**Name of the Vulnerable Software and Affected Versions**
go-tuf versions 2.0.0 through 2.3.0
**Description**
go-tuf, a Go implementation of The Update Framework (TUF), is susceptible to a condition where a compromised or misconfigured repository can have signature thresholds set to 0. This effectively disables signature verification, potentially allowing unauthorized modification of TUF metadata files during transit or at rest.
**Recommendations**
Update to version 2.3.1 or later.
As a workaround, ensure TUF metadata roles are configured with a threshold of at least 1.