Search
Find a vulnerability
Search criteria
4 vulnerabilities found for Ubuntu 14.04 LTS by Canonical
CVE-2026-9494 (GCVE-0-2026-9494)
Vulnerability from nvd – Published: 2026-07-16 12:12 – Updated: 2026-07-16 15:11
VLAI
EPSS
VEX
Title
ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line
Summary
An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in
the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can
monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-214 - Invocation of process using visible sensitive information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-9494 | vdb-entry |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canonical | ubuntu-pro-client (ubuntu-advantage-tools) |
Affected:
0 , < 37.3
(python)
|
|
| Canonical | Ubuntu 26.04 LTS |
Unaffected:
37.2ubuntu0.1
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
37.2ubuntu~24.04.1
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
37.2ubuntu~22.04.1
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
37.1ubuntu0~20.04.1
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
37.1ubuntu0~18.04.1
(dpkg)
|
|
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
37.1ubuntu0~16.04.1
(dpkg)
|
|
| Canonical | Ubuntu 14.04 LTS |
Unaffected:
19.7ubuntu0.1
(dpkg)
|
Date Public
2026-07-16 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:36:06.361605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T15:11:07.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/",
"defaultStatus": "unaffected",
"packageName": "ubuntu-pro-client",
"platforms": [
"Linux"
],
"product": "ubuntu-pro-client (ubuntu-advantage-tools)",
"repo": "https://github.com/canonical/ubuntu-pro-client",
"vendor": "Canonical",
"versions": [
{
"lessThan": "37.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/resolute",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 26.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu0.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~24.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~20.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~18.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~16.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/trusty",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 14.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "19.7ubuntu0.1",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bilal Teke"
}
],
"datePublic": "2026-07-16T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client\u003cbr\u003e(formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT\u003cbr\u003ecredentials by executing /usr/lib/apt/apt-helper using the download-file\u003cbr\u003ecommand. During this process, the secret bearer token is embedded directly in\u003cbr\u003ethe cleartext URL component passed via the command-line arguments (argv),\u003cbr\u003eresulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../.\u003cbr\u003eOn systems utilizing a default-mounted /proc file system where process-hiding\u003cbr\u003emitigations (such as hidepid) are disabled, an unprivileged local attacker can\u003cbr\u003emonitor system processes and read the sensitive bearer token directly from\u003cbr\u003e/proc/cmdline while the helper process is actively running. This leaked\u003cbr\u003etoken can subsequently be used to gain unauthorized access to the victim\u0027s\u003cbr\u003eUbuntu Pro or Expanded Security Maintenance (ESM) repositories.\u003cbr\u003e"
}
],
"value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in\nthe cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can\nmonitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim\u0027s Ubuntu Pro or Expanded Security Maintenance (ESM) repositories."
}
],
"impacts": [
{
"capecId": "CAPEC-13",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-13 Subverting Environment Variable Values"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214 Invocation of process using visible sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:12:27.447Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-9494"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-9494",
"datePublished": "2026-07-16T12:12:27.447Z",
"dateReserved": "2026-05-25T08:23:24.573Z",
"dateUpdated": "2026-07-16T15:11:07.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11386 (GCVE-0-2026-11386)
Vulnerability from nvd – Published: 2026-07-16 12:16 – Updated: 2026-07-16 13:31
VLAI
EPSS
VEX
Title
ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution
Summary
An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-11386 | vdb-entry |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canonical | ubuntu-pro-client (ubuntu-advantage-tools) |
Affected:
0 , < 37.3
(python)
|
|
| Canonical | Ubuntu 26.04 LTS |
Unaffected:
37.2ubuntu0.1
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
37.2ubuntu~24.04.1
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
37.2ubuntu~22.04.1
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
37.1ubuntu0~20.04.1
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
37.1ubuntu0~18.04.1
(dpkg)
|
|
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
37.1ubuntu0~16.04.1
(dpkg)
|
|
| Canonical | Ubuntu 14.04 LTS |
Unaffected:
19.7ubuntu0.1
(dpkg)
|
Date Public
2026-07-16 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:30:45.443694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:31:16.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/",
"defaultStatus": "unaffected",
"packageName": "ubuntu-pro-client",
"platforms": [
"Linux"
],
"product": "ubuntu-pro-client (ubuntu-advantage-tools)",
"repo": "https://github.com/canonical/ubuntu-pro-client",
"vendor": "Canonical",
"versions": [
{
"lessThan": "37.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/resolute",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 26.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu0.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~24.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~20.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~18.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~16.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/trusty",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 14.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "19.7ubuntu0.1",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Frederick Jerusha"
}
],
"datePublic": "2026-07-16T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images."
}
],
"value": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:16:02.508Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-11386"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-11386",
"datePublished": "2026-07-16T12:16:02.508Z",
"dateReserved": "2026-06-05T15:11:57.169Z",
"dateUpdated": "2026-07-16T13:31:16.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11386 (GCVE-0-2026-11386)
Vulnerability from cvelistv5 – Published: 2026-07-16 12:16 – Updated: 2026-07-16 13:31
VLAI
EPSS
VEX
Title
ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution
Summary
An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-11386 | vdb-entry |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canonical | ubuntu-pro-client (ubuntu-advantage-tools) |
Affected:
0 , < 37.3
(python)
|
|
| Canonical | Ubuntu 26.04 LTS |
Unaffected:
37.2ubuntu0.1
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
37.2ubuntu~24.04.1
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
37.2ubuntu~22.04.1
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
37.1ubuntu0~20.04.1
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
37.1ubuntu0~18.04.1
(dpkg)
|
|
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
37.1ubuntu0~16.04.1
(dpkg)
|
|
| Canonical | Ubuntu 14.04 LTS |
Unaffected:
19.7ubuntu0.1
(dpkg)
|
Date Public
2026-07-16 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:30:45.443694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:31:16.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/",
"defaultStatus": "unaffected",
"packageName": "ubuntu-pro-client",
"platforms": [
"Linux"
],
"product": "ubuntu-pro-client (ubuntu-advantage-tools)",
"repo": "https://github.com/canonical/ubuntu-pro-client",
"vendor": "Canonical",
"versions": [
{
"lessThan": "37.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/resolute",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 26.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu0.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~24.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~20.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~18.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~16.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/trusty",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 14.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "19.7ubuntu0.1",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Frederick Jerusha"
}
],
"datePublic": "2026-07-16T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images."
}
],
"value": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:16:02.508Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-11386"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-11386",
"datePublished": "2026-07-16T12:16:02.508Z",
"dateReserved": "2026-06-05T15:11:57.169Z",
"dateUpdated": "2026-07-16T13:31:16.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9494 (GCVE-0-2026-9494)
Vulnerability from cvelistv5 – Published: 2026-07-16 12:12 – Updated: 2026-07-16 15:11
VLAI
EPSS
VEX
Title
ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line
Summary
An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in
the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can
monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-214 - Invocation of process using visible sensitive information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-9494 | vdb-entry |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canonical | ubuntu-pro-client (ubuntu-advantage-tools) |
Affected:
0 , < 37.3
(python)
|
|
| Canonical | Ubuntu 26.04 LTS |
Unaffected:
37.2ubuntu0.1
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
37.2ubuntu~24.04.1
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
37.2ubuntu~22.04.1
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
37.1ubuntu0~20.04.1
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
37.1ubuntu0~18.04.1
(dpkg)
|
|
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
37.1ubuntu0~16.04.1
(dpkg)
|
|
| Canonical | Ubuntu 14.04 LTS |
Unaffected:
19.7ubuntu0.1
(dpkg)
|
Date Public
2026-07-16 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:36:06.361605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T15:11:07.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/",
"defaultStatus": "unaffected",
"packageName": "ubuntu-pro-client",
"platforms": [
"Linux"
],
"product": "ubuntu-pro-client (ubuntu-advantage-tools)",
"repo": "https://github.com/canonical/ubuntu-pro-client",
"vendor": "Canonical",
"versions": [
{
"lessThan": "37.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/resolute",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 26.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu0.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~24.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~20.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~18.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~16.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/trusty",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 14.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "19.7ubuntu0.1",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bilal Teke"
}
],
"datePublic": "2026-07-16T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client\u003cbr\u003e(formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT\u003cbr\u003ecredentials by executing /usr/lib/apt/apt-helper using the download-file\u003cbr\u003ecommand. During this process, the secret bearer token is embedded directly in\u003cbr\u003ethe cleartext URL component passed via the command-line arguments (argv),\u003cbr\u003eresulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../.\u003cbr\u003eOn systems utilizing a default-mounted /proc file system where process-hiding\u003cbr\u003emitigations (such as hidepid) are disabled, an unprivileged local attacker can\u003cbr\u003emonitor system processes and read the sensitive bearer token directly from\u003cbr\u003e/proc/cmdline while the helper process is actively running. This leaked\u003cbr\u003etoken can subsequently be used to gain unauthorized access to the victim\u0027s\u003cbr\u003eUbuntu Pro or Expanded Security Maintenance (ESM) repositories.\u003cbr\u003e"
}
],
"value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in\nthe cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can\nmonitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim\u0027s Ubuntu Pro or Expanded Security Maintenance (ESM) repositories."
}
],
"impacts": [
{
"capecId": "CAPEC-13",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-13 Subverting Environment Variable Values"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214 Invocation of process using visible sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:12:27.447Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-9494"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-9494",
"datePublished": "2026-07-16T12:12:27.447Z",
"dateReserved": "2026-05-25T08:23:24.573Z",
"dateUpdated": "2026-07-16T15:11:07.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}