{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6369", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-15T15:52:27.875Z", "datePublished": "2026-04-20T13:38:13.691Z", "dateUpdated": "2026-04-20T14:06:18.537Z"}, "containers": {"cna": {"title": "Exposed Session Token in canonical-livepatch client snap", "datePublic": "2025-04-20T12:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}, {"lang": "en", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "affected": [{"vendor": "Canonical", "product": "canonical-livepatch", "versions": [{"status": "affected", "version": "0", "lessThan": "10.15.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in the canonical-livepatch snap client prior to version\u00a010.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket.\u00a0This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server."}], "references": [{"url": "https://discourse.ubuntu.com/t/security-notice-canonical-livepatch-client-snap-vulnerability/80662", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.7, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L"}}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-20T13:38:13.691Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:58:37.433925Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:06:18.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:58:37.433925Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:59:42.857Z"}}], "cna": {"title": "Exposed Session Token in canonical-livepatch client snap", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Canonical", "product": "canonical-livepatch", "versions": [{"status": "affected", "version": "0", "lessThan": "10.15.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-04-20T12:00:00.000Z", "references": [{"url": "https://discourse.ubuntu.com/t/security-notice-canonical-livepatch-client-snap-vulnerability/80662", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in the canonical-livepatch snap client prior to version\u00a010.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket.\u00a0This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}, {"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-20T13:38:13.691Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6369", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:06:18.537Z", "dateReserved": "2026-04-15T15:52:27.875Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-20T13:38:13.691Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:livepatch_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADC1EBE3-957B-4F81-96DA-38E44B434AE1", "versionEndExcluding": "10.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in the canonical-livepatch snap client prior to version\u00a010.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket.\u00a0This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server."}], "id": "CVE-2026-6369", "lastModified": "2026-06-05T18:36:15.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-20T14:16:22.380", "references": [{"source": "security@ubuntu.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://discourse.ubuntu.com/t/security-notice-canonical-livepatch-client-snap-vulnerability/80662"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-732"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.15.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "canonical-livepatch", "source": "cna", "vendor": "Canonical"}, "product": "canonical-livepatch", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-04-20T15:22:27.897395+00:00", "value": {"mitigation_remediation": ["Upgrade the canonical-livepatch snap to version 10.15.0 or later, which removes the unauthenticated socket access.", "If an upgrade is not immediately available, uninstall or disable the canonical-livepatch snap to eliminate the vulnerable socket interface.", "Restrict local Unix socket permissions or configure the system to deny access to livepatchd.sock for non-privileged users."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via root-level authentication token leakage"}, "threat_synthesis": {"affected_systems": "All Ubuntu systems running the canonical-livepatch snap client older than version 10.15.0 with Livepatch enabled and a valid Ubuntu Pro subscription. The vulnerability exists in the snap package delivered by Canonical.", "description_and_impact": "An improper access control flaw in the Canonical Livepatch client snap allows a local unprivileged user to retrieve a root authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. The compromised token grants the attacker full access to Livepatch services running on the host with the victim\u2019s credentials, potentially enabling unauthorized patching or other privileged operations. The flaw arises from missing authentication checks (CWE-306) and incorrect permission assignments (CWE-732).", "risk_and_exploitability": "The CVSS score of 5.7 indicates a medium overall severity. Exploitation requires local, non-privileged access; no remote vector is available. EPSS data is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it is not currently broadly exploited. However, once the token is acquired, the attacker can perform high-impact privileged operations, and the presence of a valid subscription increases the attacker's motivation. The only prerequisite is a user with local access on a system where Livepatch is activated."}}}}, "created": "2026-04-20T15:30:06.167106+00:00", "updated": "2026-04-22T11:48:01.445774+00:00", "vendors": ["canonical", "canonical$PRODUCT$canonical-livepatch"]}