GHSA-FG3J-5W9G-HMG7

Vulnerability from github – Published: 2026-05-05 22:04 – Updated: 2026-05-05 22:04
VLAI?
Summary
authd: Primary group ID is incorrectly set to value of UID
Details

authd 0.6.0 contains a bug which can lead to an incorrect primary group ID.

It affects users whose primary group ID (i.e. the GID in the user record) differs from their UID. There are two ways which can lead to this:

  1. The user was created with authd < 0.5.4 (released June 2025). Those users were created with UID != GID.

  2. The primary group of the user was modified manually with the authctl utility that is shipped with authd (authctl group set-gid).

Another condition is that some user information must have changed in the identity provider (else the user record is not updated upon login). If that is the case, the next time an affected user logs in, authd will set their primary group ID to their UID.

This could lead to local privileges escalation. Also, files and directories created by those users will be owned by that incorrect primary group, which may grant other local users access to those files which they shouldn't have.

Users who are affected by the issue can run this script to fix the primary group ID of all authd users and the file ownership of files in the home directory created with the incorrect GID:

authd_users=$(getent passwd --service authd | cut -d: -f1)
for user in $authd_users; do
    OLD_GID=$(id -g "$user")
    GID=$(getent group "$user" | cut -d: -f3)
    if [ -z "$GID" ]; then
        echo "Warning: could not determine GID for $user, skipping" >&2
        continue
    fi
    if [ "$OLD_GID" = "$GID" ]; then
        continue  # user not affected
    fi
    USER_HOME=$(getent passwd "$user" | cut -d: -f6)
    echo "Fixing $user: resetting GID from $OLD_GID to $GID"
    sudo authctl group set-gid "$user" "$OLD_GID"
    sudo authctl group set-gid "$user" "$GID"
    sudo chown -R --from=":$OLD_GID" ":$GID" "$USER_HOME"
done

After applying the fix, affected users must log out and log back in for id, groups, and new file GID stamping to reflect the corrected primary group. You may also optionally terminate a user's active session with:

sudo loginctl terminate-user "$user"

If the users also own files outside their home directory, the ownership of those files might have to be updated as well.

Fixed by: https://github.com/canonical/authd/commit/154b428305cb1a7a19c897626fefd09d6dde8b9f

Severity ?
7.3 (High)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/authd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-842"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:04:07Z",
    "nvd_published_at": "2026-04-27T16:16:46Z",
    "severity": "HIGH"
  },
  "details": "authd 0.6.0 contains [a bug](https://github.com/canonical/authd/issues/1482) which can lead to an incorrect primary group ID.\n\nIt affects users whose primary group ID (i.e. the GID in the user record) differs from their UID. There are two ways which can lead to this:\n\n1. The user was created with authd \u003c 0.5.4 (released June 2025). Those users were created with UID != GID.\n\n2. The primary group of the user was modified manually with the authctl utility that is shipped with authd (`authctl group set-gid`).\n\nAnother condition is that some user information must have changed in the identity provider (else the user record is not updated upon login). If that is the case, the next time an affected user logs in, authd will set their primary group ID to their UID.\n\nThis could lead to local privileges escalation. Also, files and directories created by those users will be owned by that incorrect primary group, which may grant other local users access to those files which they shouldn\u0027t have.\n\nUsers who are affected by the issue can run this script to fix the primary group ID of all authd users and the file ownership of files in the home directory created with the incorrect GID:\n\n```bash\nauthd_users=$(getent passwd --service authd | cut -d: -f1)\nfor user in $authd_users; do\n    OLD_GID=$(id -g \"$user\")\n    GID=$(getent group \"$user\" | cut -d: -f3)\n    if [ -z \"$GID\" ]; then\n        echo \"Warning: could not determine GID for $user, skipping\" \u003e\u00262\n        continue\n    fi\n    if [ \"$OLD_GID\" = \"$GID\" ]; then\n        continue  # user not affected\n    fi\n    USER_HOME=$(getent passwd \"$user\" | cut -d: -f6)\n    echo \"Fixing $user: resetting GID from $OLD_GID to $GID\"\n    sudo authctl group set-gid \"$user\" \"$OLD_GID\"\n    sudo authctl group set-gid \"$user\" \"$GID\"\n    sudo chown -R --from=\":$OLD_GID\" \":$GID\" \"$USER_HOME\"\ndone\n```\n\nAfter applying the fix, affected users must log out and log back in for `id`, `groups`, and new file GID stamping to reflect the corrected primary group. You may also optionally terminate a user\u0027s active session with:\n\n```bash\nsudo loginctl terminate-user \"$user\"\n```\n\nIf the users also own files outside their home directory, the ownership of those files might have to be updated as well.\n\nFixed by: https://github.com/canonical/authd/commit/154b428305cb1a7a19c897626fefd09d6dde8b9f",
  "id": "GHSA-fg3j-5w9g-hmg7",
  "modified": "2026-05-05T22:04:07Z",
  "published": "2026-05-05T22:04:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/authd/security/advisories/GHSA-fg3j-5w9g-hmg7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6970"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/authd/commit/154b428305cb1a7a19c897626fefd09d6dde8b9f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/authd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "authd: Primary group ID is incorrectly set to value of UID "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.