CVE-2026-23992
Published: 22 January 2026
Summary
CVE-2026-23992 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Theupdateframework Go-Tuf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-23992 affects go-tuf, a Go implementation of The Update Framework (TUF), specifically versions starting from 2.0.0 up to but not including 2.3.1. The vulnerability arises when a compromised or misconfigured TUF repository sets signature thresholds to 0, effectively disabling signature verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), allows unauthorized modifications to TUF metadata files either at rest or during transit, as no integrity checks are performed. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact.
Attackers can exploit this vulnerability if they gain the ability to compromise or misconfigure a TUF repository, enabling them to set thresholds to 0 without requiring privileges, user interaction, or scope changes. Exploitation is network-accessible but requires high attack complexity. Successful attacks allow adversaries to arbitrarily modify TUF metadata, undermining the integrity of the update framework and potentially enabling further supply chain compromises through tampered metadata.
The go-tuf security advisory (GHSA-fphv-w9fq-2525) and fixing commit (b38d91fdbc69dfe31fe9230d97dafe527ea854a0) confirm that version 2.3.1 resolves the issue. As a workaround, administrators should ensure all TUF metadata roles are configured with a signature threshold of at least 1 to prevent disabling verification.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3672
Vulnerability details
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature…
more
verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability disables TUF metadata signature verification (threshold=0), directly enabling attackers to tamper with update metadata and compromise the software supply chain.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic integrity verification of information (TUF metadata) to detect unauthorized modification, blocking the exact failure mode when thresholds are set to 0.
Mandates that system components and metadata be signed and verified before use, preventing acceptance of TUF files whose signature thresholds have been disabled.
Requires integrity protection for information in transit, mitigating the transit-tampering path that becomes possible once TUF signature verification is bypassed.