PT-2026-3904 · Go-Tuf · Go-Tuf

Kommendorkapten

Published

2026-01-19

Updated

2026-05-18

CVE-2026-23992

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions go-tuf versions 2.0.0 through 2.3.0

Description go-tuf, a Go implementation of The Update Framework (TUF), is susceptible to a condition where a compromised or misconfigured repository can have signature thresholds set to 0. This effectively disables signature verification, potentially allowing unauthorized modification of TUF metadata files during transit or at rest.

Recommendations Update to version 2.3.1 or later. As a workaround, ensure TUF metadata roles are configured with a threshold of at least 1.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

AZL-75189

BDU:2026-01059

CLEANSTART-2026-HF07497

CLEANSTART-2026-SH14815

CLEANSTART-2026-WN01990

CVE-2026-23992

GHSA-FPHV-W9FQ-2525

GO-2026-4349

OPENSUSE-SU-2026:10235-1

OPENSUSE-SU-2026:20386-1

SUSE-SU-2026:0403-1

SUSE-SU-2026:0757-1

SUSE-SU-2026:0777-1

SUSE-SU-2026:20904-1

Affected Products

Go-Tuf

PT-2026-3904 · Go-Tuf · Go-Tuf

CVE-2026-23992

Weakness Enumeration

Related Identifiers

Affected Products

References · 325