Skip to main content

ubuntu-pro-client CVE-2026-12391

| EUVDEUVD-2026-44912 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-07-16 canonical GHSA-whf7-7mxf-ww93
5.0
CVSS 3.1 · Vendor: canonical
Share

Severity by source

Vendor (canonical) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.0 MEDIUM

Local vector and PR:L because symlink pre-placement requires a local account; UI:R because a privileged admin must manually invoke the diagnostic command; C:H for potential /etc/shadow disclosure; no integrity or availability impact applies.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (canonical).

CVSS VectorVendor: canonical

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 13:25 vuln.today
CVE Published
Jul 16, 2026 - 12:17 cve.org
MEDIUM 5.0

DescriptionCVE.org

An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.

AnalysisAI

Insecure symlink following in Canonical's ubuntu-pro-client pro collect-logs command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including /etc/shadow - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local low-privilege shell access
Delivery
Identify predictable staging path used by pro collect-logs
Exploit
Pre-place symlink at that path targeting /etc/shadow
Install
Await privileged operator to run pro collect-logs
C2
Tool follows symlink and reads root-owned file
Execute
Sensitive file contents bundled into user-readable archive
Impact
Attacker extracts and reads system secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account with at least low privileges on the affected Ubuntu host and write access to the predictable path consumed by `pro collect-logs` - specifically the temporary directory or log staging location the tool uses before archiving. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N encodes a local attack of low complexity requiring low privileges, with the critical limiting factor being UI:R - an administrator must actively invoke `pro collect-logs`, which is not a routine or automated Ubuntu operation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user on a multi-user Ubuntu system identifies the predictable temporary or log directory path consumed by `pro collect-logs` and creates a symbolic link at that path pointing to `/etc/shadow`. When a system administrator later runs `pro collect-logs` to generate a support bundle - for example, before opening a Canonical support ticket - the tool follows the attacker-controlled symlink, reads the shadow password file as root, and bundles its contents into the archive. …
Remediation The primary fix is to upgrade ubuntu-pro-client to the patched version published by Canonical; consult the vendor advisory at https://ubuntu.com/security/CVE-2026-12391 for exact fixed package versions, as no specific patched release was confirmed in the available input data - patch availability is stated as available per vendor advisory but the version cannot be independently confirmed from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy