CVE-2026-6369 - Vulnerability Details

- Exposed Session Token in canonical-livepatch client snap

Description

An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server.

Published: 2026-04-20

Score: 5.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper access control flaw in the Canonical Livepatch client snap allows a local unprivileged user to retrieve a root authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. The compromised token grants the attacker full access to Livepatch services running on the host with the victim’s credentials, potentially enabling unauthorized patching or other privileged operations. The flaw arises from missing authentication checks (CWE-306) and incorrect permission assignments (CWE-732).

Affected Systems

All Ubuntu systems running the canonical-livepatch snap client older than version 10.15.0 with Livepatch enabled and a valid Ubuntu Pro subscription. The vulnerability exists in the snap package delivered by Canonical.

Risk and Exploitability

The CVSS score of 5.7 indicates a medium overall severity. Exploitation requires local, non-privileged access; no remote vector is available. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not currently broadly exploited. However, once the token is acquired, the attacker can perform high-impact privileged operations, and the presence of a valid subscription increases the attacker's motivation. The only prerequisite is a user with local access on a system where Livepatch is activated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Canonical

canonical-livepatch

unaffected

Version	Status	Constraints
`0`	affected	< 10.15.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the canonical-livepatch snap to version 10.15.0 or later, which removes the unauthenticated socket access.
If an upgrade is not immediately available, uninstall or disable the canonical-livepatch snap to eliminate the vulnerable socket interface.
Restrict local Unix socket permissions or configure the system to deny access to livepatchd.sock for non-privileged users.

Generated by OpenCVE AI on April 20, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discourse.ubuntu.com/t/security-notice-canonical-livepatch-client-snap-vulnerability/80662

History

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server.
Title		Exposed Session Token in canonical-livepatch client snap
Weaknesses		CWE-306 CWE-732
References		https://discourse.ubuntu.com/t/security-notice-canonical-livepatch-client-snap-vulnerability/80662
Metrics		cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-20T13:38:13.691Z

Updated: 2026-04-20T14:06:18.537Z

Reserved: 2026-04-15T15:52:27.875Z

Link: CVE-2026-6369

Vulnrichment

Updated: 2026-04-20T13:59:42.857Z

NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:22.380

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-6369

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object