Skip to main content

Juju CVE-2025-68152

| EUVDEUVD-2025-209209 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-03 GitHub_M GHSA-j6f6-jp3p-53mw
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 16:00 euvd
EUVD-2025-209209
Analysis Generated
Apr 03, 2026 - 16:00 vuln.today
CVE Published
Apr 03, 2026 - 15:25 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.

AnalysisAI

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to read arbitrary log files for any entity across any model without proper authorization checks. This authentication bypass (CWE-863) affects high-privilege scenarios where an attacker already controls a machine within a Juju-managed infrastructure, enabling lateral information disclosure to extract sensitive operational logs. The vulnerability has been patched in Juju 2.9.56 and 3.6.19.

Technical ContextAI

Juju is an operator-based infrastructure automation platform that manages applications and their lifecycle across heterogeneous environments. The underlying issue stems from insufficient authorization enforcement in the log access control mechanism (CWE-863: Improper Authorization). The CVSS vector (PR:H) indicates this requires high-privilege context-specifically, an attacker must already have control over a workload machine managed by the Juju controller. The vulnerability allows privilege escalation within the Juju management plane: a compromised machine can bypass model isolation and read logs from entities it should not have access to. This affects the core multi-tenancy and isolation guarantees that Juju operators depend on.

RemediationAI

Vendor-released patch: Juju 2.9.56 and Juju 3.6.19. Administrators should upgrade immediately to one of these patched versions. For organizations unable to upgrade immediately, the primary mitigation is to restrict physical or administrative access to workload machines managed by the Juju controller, as the vulnerability requires an attacker to already control a machine in the deployment. No workaround is available short of patching. Additional defense-in-depth measures include implementing network segmentation to restrict log access channels and auditing log access patterns to detect unauthorized queries. Refer to the GitHub security advisory (https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw) for deployment-specific guidance.

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-5412 CRITICAL
9.9 Apr 10

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia

CVE-2026-32693 HIGH
8.8 Mar 18

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68153 HIGH
7.1 Apr 03

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to

CVE-2026-32694 MEDIUM
6.6 Mar 18

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to

Share

CVE-2025-68152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy