CVE-2026-12391
Awaiting Analysis Awaiting Analysis - Queue

Insecure Symlink Following in Ubuntu Pro Client collect-logs Command

Vulnerability report for CVE-2026-12391, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Canonical Ltd.

Description

An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
canonical ubuntu_pro_client *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an insecure symlink following issue in Canonical ubuntu-pro-client's pro collect-logs command. It occurs because the tool creates or uses predictable temporary file paths without checking file types or ownership. An attacker can create a symlink pointing to sensitive files like /etc/shadow. When the command runs as root, it follows the symlink, reads the file, and includes it in a diagnostic archive. The attacker can then access the archive and read the sensitive data.

Detection Guidance

Check for the presence of ubuntu-pro-client and verify if the pro collect-logs command is installed. Look for unusual symlinks in /tmp or log directories that point to sensitive files. Review system logs for unexpected pro collect-logs executions by non-root users.

Impact Analysis

If exploited, this vulnerability allows an unprivileged local attacker to read sensitive system files such as /etc/shadow or files in /root. This could lead to full information disclosure of system secrets, including passwords or private data. The attacker gains access to root-owned files without needing elevated privileges.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements under GDPR (data protection) and HIPAA (health information privacy). Exposure of personal or health data may result in legal penalties, reputational damage, and loss of trust. Organizations must address this to maintain regulatory compliance.

Mitigation Strategies

Update ubuntu-pro-client to the latest patched version immediately. Remove any suspicious symlinks in /tmp or log directories. Restrict write permissions to /tmp and log directories. Monitor for unauthorized access to sensitive files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart