PT-2026-35080 · Pypi · Tough
1Seal
·
Published
2026-04-24
·
Updated
2026-05-21
·
CVE-2026-6967
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
tough versions prior to 0.22.0
Description
Remote authenticated users with delegated signing authority can bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache. This occurs because the
load delegations() function does not apply the same validation checks regarding expiration, hash, and length enforcement as the top-level targets metadata path.Recommendations
Upgrade to version 0.22.0.
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tough