CVE-2026-12249 - Vulnerability Details

Link	Providers
https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d
https://ubuntu.com/security/CVE-2026-12249

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
Title		Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment
Weaknesses		CWE-348
References		https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d https://ubuntu.com/security/CVE-2026-12249
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12249", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-06-15T08:01:59.335Z", "datePublished": "2026-06-22T15:43:33.890Z", "dateUpdated": "2026-06-22T17:30:57.314Z"}, "containers": {"cna": {"title": "Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment", "datePublic": "2026-06-19T11:58:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-348", "description": "Improper verification of cryptographic signature", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "affected": [{"collectionURL": "https://github.com/ubuntu", "packageName": "adsys", "repo": "https://github.com/ubuntu/adsys", "versions": [{"status": "affected", "version": "0.13.0", "lessThan": "0.16.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Canonical", "product": "Ubuntu 20.04 LTS", "platforms": ["Linux"], "collectionURL": "https://launchpad.net/ubuntu/focal", "packageName": "adsys", "repo": "https://launchpad.net/ubuntu/+source/adsys", "versions": [{"status": "unaffected", "version": "0.9.2~20.04.2ubuntu0.1+esm2", "versionType": "dpkg"}], "defaultStatus": "unaffected"}, {"vendor": "Canonical", "product": "Ubuntu 22.04 LTS", "platforms": ["Linux"], "collectionURL": "https://launchpad.net/ubuntu/jammy", "packageName": "adsys", "repo": "https://launchpad.net/ubuntu/+source/adsys", "versions": [{"status": "unaffected", "version": "0.16.3~22.04.2ubuntu0.22.04.1", "versionType": "dpkg"}], "defaultStatus": "affected"}, {"vendor": "Canonical", "product": "Ubuntu 24.04 LTS", "platforms": ["Linux"], "collectionURL": "https://launchpad.net/ubuntu/noble", "packageName": "adsys", "repo": "https://launchpad.net/ubuntu/+source/adsys", "versions": [{"status": "unaffected", "version": "0.16.3~24.04.2ubuntu0.24.04.1", "versionType": "dpkg"}], "defaultStatus": "affected"}, {"vendor": "Canonical", "product": "Ubuntu 25.10", "platforms": ["Linux"], "collectionURL": "https://launchpad.net/ubuntu/questing", "packageName": "adsys", "repo": "https://launchpad.net/ubuntu/+source/adsys", "versions": [{"status": "unaffected", "version": "0.16.3", "versionType": "dpkg"}], "defaultStatus": "unaffected"}, {"vendor": "Canonical", "product": "Ubuntu 26.04 LTS", "platforms": ["Linux"], "collectionURL": "https://launchpad.net/ubuntu/resolute", "packageName": "adsys", "repo": "https://launchpad.net/ubuntu/+source/adsys", "versions": [{"status": "unaffected", "version": "0.16.4ubuntu1", "versionType": "dpkg"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3."}], "references": [{"url": "https://ubuntu.com/security/CVE-2026-12249", "tags": ["vdb-entry", "issue-tracking"]}, {"url": "https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "IRRECOVERABLE", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red"}}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-22T15:45:03.920Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T17:30:38.451893Z", "id": "CVE-2026-12249", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:30:57.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-22T17:30:38.451893Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:30:52.627Z"}}], "cna": {"title": "Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "IRRECOVERABLE", "baseScore": 9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/ubuntu/adsys", "versions": [{"status": "affected", "version": "0.13.0", "lessThan": "0.16.3", "versionType": "semver"}], "packageName": "adsys", "collectionURL": "https://github.com/ubuntu", "defaultStatus": "unaffected"}, {"repo": "https://launchpad.net/ubuntu/+source/adsys", "vendor": "Canonical", "product": "Ubuntu 20.04 LTS", "versions": [{"status": "unaffected", "version": "0.9.2~20.04.2ubuntu0.1+esm2", "versionType": "dpkg"}], "platforms": ["Linux"], "packageName": "adsys", "collectionURL": "https://launchpad.net/ubuntu/focal", "defaultStatus": "unaffected"}, {"repo": "https://launchpad.net/ubuntu/+source/adsys", "vendor": "Canonical", "product": "Ubuntu 22.04 LTS", "versions": [{"status": "unaffected", "version": "0.16.3~22.04.2ubuntu0.22.04.1", "versionType": "dpkg"}], "platforms": ["Linux"], "packageName": "adsys", "collectionURL": "https://launchpad.net/ubuntu/jammy", "defaultStatus": "affected"}, {"repo": "https://launchpad.net/ubuntu/+source/adsys", "vendor": "Canonical", "product": "Ubuntu 24.04 LTS", "versions": [{"status": "unaffected", "version": "0.16.3~24.04.2ubuntu0.24.04.1", "versionType": "dpkg"}], "platforms": ["Linux"], "packageName": "adsys", "collectionURL": "https://launchpad.net/ubuntu/noble", "defaultStatus": "affected"}, {"repo": "https://launchpad.net/ubuntu/+source/adsys", "vendor": "Canonical", "product": "Ubuntu 25.10", "versions": [{"status": "unaffected", "version": "0.16.3", "versionType": "dpkg"}], "platforms": ["Linux"], "packageName": "adsys", "collectionURL": "https://launchpad.net/ubuntu/questing", "defaultStatus": "unaffected"}, {"repo": "https://launchpad.net/ubuntu/+source/adsys", "vendor": "Canonical", "product": "Ubuntu 26.04 LTS", "versions": [{"status": "unaffected", "version": "0.16.4ubuntu1", "versionType": "dpkg"}], "platforms": ["Linux"], "packageName": "adsys", "collectionURL": "https://launchpad.net/ubuntu/resolute", "defaultStatus": "unaffected"}], "datePublic": "2026-06-19T11:58:00.000Z", "references": [{"url": "https://ubuntu.com/security/CVE-2026-12249", "tags": ["vdb-entry", "issue-tracking"]}, {"url": "https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "Improper verification of cryptographic signature"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-22T15:45:03.920Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12249", "state": "PUBLISHED", "dateUpdated": "2026-06-22T17:30:57.314Z", "dateReserved": "2026-06-15T08:01:59.335Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-06-22T15:43:33.890Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object