CVE-2026-12391 in ubuntu-pro-clientinfo

Summary

by MITRE • 07/16/2026

An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability represents a critical insecure symlink following flaw in the ubuntu-pro-client package that has significant implications for system security and privilege escalation. The issue manifests within the pro collect-logs command framework where the utility creates or utilizes predictable temporary file paths or user-accessible log directories during diagnostic information gathering without proper verification of file type or ownership. This design flaw allows unprivileged local attackers to exploit the system by creating symbolic links at predictable destination paths that point to arbitrary root-readable files such as /etc/shadow or private files within /root directory. The vulnerability aligns with CWE-367 which identifies the weakness of time-of-check to time-of-use race conditions and also maps to ATT&CK technique T1005 for data from local system and T1059 for command and scripting interpreter. The attack vector requires minimal privileges since attackers only need to create symlinks in predictable locations, making this particularly dangerous in multi-user environments where privilege separation is expected.

The operational impact of this vulnerability extends beyond simple information disclosure to encompass complete compromise of system secrets and credentials. When a root administrator or operator executes the pro collect-logs command, the tool follows the user-controlled symlink without proper validation, reads the target file contents, and compresses them into the resulting diagnostic support archive. Since the output archive remains readable by the unprivileged user who created the symlink, attackers can extract and read sensitive root-owned files containing passwords, private keys, configuration secrets, and other critical system information. This creates a persistent information disclosure risk that allows attackers to gain comprehensive knowledge of system configurations and credentials. The vulnerability demonstrates a fundamental flaw in temporary file handling practices where the system assumes that all paths are legitimate without proper validation, creating an attack surface that can be exploited by any local user with minimal privileges.

Mitigation strategies for this vulnerability require immediate attention from system administrators through multiple layers of defense. The most direct approach involves updating to patched versions of ubuntu-pro-client where the tool properly validates file types and ownership before processing files in temporary directories or log locations. System administrators should also implement restrictive permissions on temporary directories, ensuring that only root can create files in these locations and that the tools do not follow symlinks during file operations. Additional defensive measures include monitoring for suspicious symlink creation patterns in system logs, implementing mandatory access controls such as SELinux policies to restrict file access, and conducting regular security audits of system utilities that handle temporary files or user-supplied data. Organizations should also consider implementing principle of least privilege practices where the pro collect-logs command runs with minimal required privileges rather than full root access, reducing the potential impact if similar vulnerabilities are discovered in other components. The vulnerability highlights the importance of secure coding practices and proper input validation as outlined in industry standards such as NIST SP 800-160 and ISO/IEC 27001 security controls for system integrity protection.

Responsible

Canonical

Reservation

06/16/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Do you need the next level of professionalism?

Upgrade your account now!