← Volver a CVEs
CVE-2026-23992
MEDIUM5.9
Descripcion
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Detalles CVE
Puntuacion CVSS v3.15.9
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Vector de ataqueNETWORK
ComplejidadHIGH
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/22/2026
Ultima modificacion2/17/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
theupdateframework:go-tuf
Debilidades (CWE)
CWE-347
Referencias
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0(security-advisories@github.com)
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.