CVE-2026-11386
Awaiting Analysis Awaiting Analysis - Queue

APT Source Injection in Ubuntu Pro Client

Vulnerability report for CVE-2026-11386, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Canonical Ltd.

Description

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] fieldβ€”which is passed positionally into a root-executed apt-get install commandβ€”an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
canonical ubuntu_pro_client *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an input validation and injection flaw in Canonical's ubuntu-pro-client. It allows attackers to inject malicious deb configuration lines into APT source files by exploiting improper handling of newline characters in contract server responses. The client uses Python's str.format() without escaping or validation, enabling arbitrary code execution with root privileges when combined with the unvalidated additionalPackages field.

Impact Analysis

An attacker could exploit this to install malicious packages on your system with root privileges. This could lead to complete system compromise, data theft, or further network infiltration. The vulnerability is particularly dangerous because the ubuntu-pro-client is preinstalled on Ubuntu Server and auto-attaches by default on cloud images.

Compliance Impact

This vulnerability could lead to unauthorized code execution and data breaches, violating compliance requirements for GDPR, HIPAA, and other regulations. Organizations may face penalties for failing to protect sensitive data due to this flaw in their Ubuntu systems.

Mitigation Strategies

Update the ubuntu-pro-client package immediately using sudo apt update && sudo apt upgrade ubuntu-pro-client. Disable auto-attachment if not needed and review contract server responses for unexpected newline characters or malicious package entries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart