CVE-2026-9494 PUBLISHED

ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line

Assigner: canonical
Reserved: 25.05.2026 Published: 16.07.2026 Updated: 16.07.2026

An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.5

Product Status

Vendor Canonical
Product ubuntu-pro-client (ubuntu-advantage-tools)
Versions Default: unaffected
  • affected from 0 to 37.3 (excl.)
Vendor Canonical
Product Ubuntu 26.04 LTS
Versions Default: affected
  • Version 37.2ubuntu0.1 is unaffected
Vendor Canonical
Product Ubuntu 24.04 LTS
Versions Default: affected
  • Version 37.2ubuntu~24.04.1 is unaffected
Vendor Canonical
Product Ubuntu 22.04 LTS
Versions Default: affected
  • Version 37.2ubuntu~22.04.1 is unaffected
Vendor Canonical
Product Ubuntu 20.04 LTS
Versions Default: affected
  • Version 37.1ubuntu0~20.04.1 is unaffected
Vendor Canonical
Product Ubuntu 18.04 LTS
Versions Default: affected
  • Version 37.1ubuntu0~18.04.1 is unaffected
Vendor Canonical
Product Ubuntu 16.04 LTS
Versions Default: affected
  • Version 37.1ubuntu0~16.04.1 is unaffected
Vendor Canonical
Product Ubuntu 14.04 LTS
Versions Default: affected
  • Version 19.7ubuntu0.1 is unaffected

Credits

  • Bilal Teke finder

References

Problem Types

  • CWE-214 Invocation of process using visible sensitive information CWE

Impacts

  • CAPEC-13 Subverting Environment Variable Values