# AWS Security Advisory: Security Issues in tough Library and tuftool CLI Tool **Advisory ID**: 2026-019-AWS **Release Time**: April 24, 2026 12:45 PM PDT **Severity**: Important (requires attention) ## Vulnerability Overview `tough` is a Rust library used for generating, signing, and managing TUF (The Update Framework) repositories, and `tuftool` is its accompanying command-line tool. AWS has identified multiple security issues in them. **Affected CVE IDs**: * CVE-2026-6966 * CVE-2026-6967 * CVE-2026-6968 ## Impact Scope * **tough**: versions 0.1.0 through 0.21.x (inclusive) * **tuftool**: versions 0.1.0 through 0.14.x (inclusive) ## Remediation Please upgrade to the following patched versions: * **tough**: 0.22.0 or later * **tuftool**: 0.15.0 or later ## References * [GHSA-8m7l-dm39-rv4x](https://github.com/advisories/GHSA-8m7l-dm39-rv4x) * [GHSA-4v56-5p28-2n3](https://github.com/advisories/GHSA-4v56-5p28-2n3) * [GHSA-v57p-qqpj-r7hg](https://github.com/advisories/GHSA-v57p-qqpj-r7hg) * [Tough GitHub Repository](https://github.com/awslabs/tough)