Canonical · Ubuntu-Pro-Client · CVE-2026-11386
**Name of the Vulnerable Software and Affected Versions**
ubuntu-pro-client (affected versions not specified)
**Description**
An input validation and injection issue exists where the client constructs APT source files using data from the contract server response via the `directives.suites[]` and `directives.aptURL` fields. The use of Python's `str.format()` to write these files without escaping, validation, or newline character filtering allows a tampered response containing newline characters to inject arbitrary configuration lines into root-owned APT sources. When combined with the unvalidated `additionalPackages[]` field, which is passed into a root-executed `apt-get install` command, an attacker who can manipulate the contract response can force the installation of malicious packages, leading to arbitrary code execution with root privileges. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.