CVE-2026-9494
ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line
An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
| CWE | CWE-214 |
| Vendor | canonical |
| Product | ubuntu-pro-client (ubuntu-advantage-tools) |
| Ecosystems | |
| Industries | Technology |
| Published | Jul 16, 2026 |
Get instant alerts for canonical ubuntu-pro-client (ubuntu-advantage-tools)
Be the first to know when new medium vulnerabilities affecting canonical ubuntu-pro-client (ubuntu-advantage-tools) are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N