Back to overview

CVE-2026-9494

MEDIUM
5.5
CVSS 3.1
Description
An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.

Metadata

CVE ID
CVE-2026-9494
State
PUBLISHED
Assigner
canonical
Reserved
2026-05-25 08:23 UTC
Published
2026-07-16 12:12 UTC
Last updated
2026-07-16 12:12 UTC
Primary CWE
CWE-214
CWE-214 Invocation of process using visible sensitive inform…
Vendor / Product
Canonical / ubuntu-pro-client (ubuntu-advantage-tools)
Sources
cve.org  ·  NVD

Severity & Metrics

5.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (8)
VendorProductPlatformVersions
Canonical Ubuntu 14.04 LTS Linux 19.7ubuntu0.1
Canonical Ubuntu 16.04 LTS Linux 37.1ubuntu0~16.04.1
Canonical Ubuntu 18.04 LTS Linux 37.1ubuntu0~18.04.1
Canonical Ubuntu 20.04 LTS Linux 37.1ubuntu0~20.04.1
Canonical Ubuntu 22.04 LTS Linux 37.2ubuntu~22.04.1
Canonical Ubuntu 24.04 LTS Linux 37.2ubuntu~24.04.1
Canonical Ubuntu 26.04 LTS Linux 37.2ubuntu0.1
Canonical ubuntu-pro-client (ubuntu-advantage-tools) Linux 0 < 37.3
Weakness (CWE)
CWESourceDescription
CWE-214 cna CWE-214 Invocation of process using visible sensitive information
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.5 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Back to overview