{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9494","assignerOrgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","state":"PUBLISHED","assignerShortName":"canonical","dateReserved":"2026-05-25T08:23:24.573Z","datePublished":"2026-07-16T12:12:27.447Z","dateUpdated":"2026-07-16T15:11:07.229Z"},"containers":{"cna":{"title":"ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line","datePublic":"2026-07-16T12:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-214","description":"CWE-214 Invocation of process using visible sensitive information","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-13","descriptions":[{"lang":"en","value":"CAPEC-13 Subverting Environment Variable Values"}]}],"affected":[{"vendor":"Canonical","product":"ubuntu-pro-client (ubuntu-advantage-tools)","platforms":["Linux"],"collectionURL":"https://github.com/canonical/","packageName":"ubuntu-pro-client","repo":"https://github.com/canonical/ubuntu-pro-client","versions":[{"status":"affected","version":"0","lessThan":"37.3","versionType":"python"}],"defaultStatus":"unaffected"},{"vendor":"Canonical","product":"Ubuntu 26.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/resolute","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.2ubuntu0.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 24.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/noble","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.2ubuntu~24.04.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 22.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/jammy","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.2ubuntu~22.04.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 20.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/focal","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.1ubuntu0~20.04.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 18.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/bionic","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.1ubuntu0~18.04.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 16.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/xenial","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"37.1ubuntu0~16.04.1","versionType":"dpkg"}],"defaultStatus":"affected"},{"vendor":"Canonical","product":"Ubuntu 14.04 LTS","platforms":["Linux"],"collectionURL":"https://launchpad.net/ubuntu/trusty","packageName":"ubuntu-advantage-tools","repo":"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools","versions":[{"status":"unaffected","version":"19.7ubuntu0.1","versionType":"dpkg"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in\nthe cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can\nmonitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.","supportingMedia":[{"type":"text/html","base64":false,"value":"An information disclosure vulnerability exists in Canonical ubuntu-pro-client<br>(formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT<br>credentials by executing /usr/lib/apt/apt-helper using the download-file<br>command. During this process, the secret bearer token is embedded directly in<br>the cleartext URL component passed via the command-line arguments (argv),<br>resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../.<br>On systems utilizing a default-mounted /proc file system where process-hiding<br>mitigations (such as hidepid) are disabled, an unprivileged local attacker can<br>monitor system processes and read the sensitive bearer token directly from<br>/proc/cmdline while the helper process is actively running. This leaked<br>token can subsequently be used to gain unauthorized access to the victim's<br>Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.<br>"}]}],"references":[{"url":"https://ubuntu.com/security/CVE-2026-9494","tags":["vdb-entry"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}],"credits":[{"lang":"en","value":"Bilal Teke","type":"finder"}],"source":{"discovery":"EXTERNAL"},"providerMetadata":{"orgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","shortName":"canonical","dateUpdated":"2026-07-16T12:12:27.447Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-16T13:36:06.361605Z","id":"CVE-2026-9494","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-16T15:11:07.229Z"}}]}}