Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.

INFO

Published Date :

2026-01-22T02:20:06.845Z

Last Modified :

2026-01-22T15:21:21.301Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23992 vulnerability.

Vendors Products
Theupdateframework
  • Go-tuf
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23992.

URL Resource
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 cve-icon cve-icon cve-icon
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-23992 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-23992 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact