{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-12249/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-22T17:30:57.314Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-12249","@id":"https://www.cve.org/CVERecord?id=CVE-2026-12249","description":"An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated netw"},"products":[{"@id":"https://database.harborguard.co/cve/CVE-2026-12249#product"},{"@id":"cpe:2.3:a:canonical:ubuntu_20.04_lts:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:canonical:ubuntu_20.04_lts:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:canonical:ubuntu_22.04_lts:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:canonical:ubuntu_22.04_lts:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:canonical:ubuntu_24.04_lts:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:canonical:ubuntu_24.04_lts:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:canonical:ubuntu_25.10:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:canonical:ubuntu_25.10:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:canonical:ubuntu_26.04_lts:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:canonical:ubuntu_26.04_lts:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 0.9.2~20.04.2ubuntu0.1+esm2, 0.16.3, 0.16.3~22.04.2ubuntu0.22.04.1, 0.16.3~24.04.2ubuntu0.24.04.1, 0.16.4ubuntu1.","timestamp":"2026-06-22T17:30:57.314Z"}]}