CVE-2026-6968

Name of the Vulnerable Software and Affected Versions awslabs/tough versions prior to 0.22.0

Description Incomplete path traversal fixes allow remote authenticated users with delegated signing authority to write files outside intended output directories. This occurs because write paths trust the joined destination path without post-resolution containment verification. The issue can be triggered via absolute target names in 'copy target/link target', symlinked parent directories in 'save target', or symlinked metadata filenames in the SignedRole::write function.

Recommendations Upgrade to version 0.22.0.