CVE-2026-6970 (GCVE-0-2026-6970)
Vulnerability from cvelistv5
Published
2026-04-27 15:28
Modified
2026-04-27 16:17
Severity ?
7.3 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-842 - Placement of user into incorrect group
Summary
authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.
References
Impacted products
Vendor Product Version
Canonical authd Version: 0.6.0   
Version: 0.6.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6970",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T16:16:37.315715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T16:17:10.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "authd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "0.6.4",
              "status": "affected",
              "version": "0.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "0.6.1ubuntu0.1",
              "status": "affected",
              "version": "0.6.1",
              "versionType": "ubuntu-resolute"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user\u0027s primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user\u0027s identity provider record is updated, authd incorrectly resets the user\u0027s primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-842",
              "description": "CWE-842 Placement of user into incorrect group",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T15:28:48.209Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/canonical/authd/security/advisories/GHSA-fg3j-5w9g-hmg7"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/canonical/authd/commit/154b428305cb1a7a19c897626fefd09d6dde8b9f"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "authd Denial of Service and Local Privilege Escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-6970",
    "datePublished": "2026-04-27T15:28:48.209Z",
    "dateReserved": "2026-04-24T16:52:35.090Z",
    "dateUpdated": "2026-04-27T16:17:10.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6970\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-27T16:16:37.315715Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-27T16:14:29.359Z\"}}], \"cna\": {\"title\": \"authd Denial of Service and Local Privilege Escalation\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Canonical\", \"product\": \"authd\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.6.0\", \"lessThan\": \"0.6.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0.6.1\", \"lessThan\": \"0.6.1ubuntu0.1\", \"versionType\": \"ubuntu-resolute\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/canonical/authd/security/advisories/GHSA-fg3j-5w9g-hmg7\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/canonical/authd/commit/154b428305cb1a7a19c897626fefd09d6dde8b9f\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user\u0027s primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user\u0027s identity provider record is updated, authd incorrectly resets the user\u0027s primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-842\", \"description\": \"CWE-842 Placement of user into incorrect group\"}]}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2026-04-27T15:28:48.209Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-6970\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-27T16:17:10.157Z\", \"dateReserved\": \"2026-04-24T16:52:35.090Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2026-04-27T15:28:48.209Z\", \"assignerShortName\": \"canonical\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.