Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
AnalysisAI
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to tamper with application resources across the entire controller scope. Affects Juju 2.9.0-2.9.55 and 3.6.0-3.6.18. Patched in versions 2.9.56 and 3.6.19. EPSS score of 0.01% suggests low probability of mass exploitation. No active exploitation confirmed (not in CISA KEV). Authentication requirement (PR:L) limits attack surface to compromised credentials or malicious insiders.
Technical ContextAI
Juju is Canonical's orchestration engine for deploying and managing cloud applications using 'charms' (operators). The vulnerability stems from improper authorization enforcement (CWE-863: Incorrect Authorization) in resource modification operations. Juju's architecture involves controllers managing multiple models, machines, and applications. The flaw allows privilege escalation within the controller boundary-authenticated entities (users, machine agents, or controller components) can modify application resources outside their intended authorization scope. This breaks Juju's role-based access control model, which should restrict resource operations to appropriately permissioned entities. The CPE string (cpe:2.3:a:juju:juju:*:*:*:*:*:*:*:*) confirms the core Juju engine is affected across two maintained version branches. The GitHub commit reference indicates the fix addresses authorization checks in resource handling code paths.
RemediationAI
Upgrade to Juju 2.9.56 (for 2.9.x deployments) or Juju 3.6.19 (for 3.6.x deployments). Vendor-released patches confirmed via GitHub advisory GHSA-245v-p8fj-vwm2 and commit 26ff93c903d55b0712c6fb3f6b254710edb971d4. Organizations should follow Juju's standard controller upgrade procedures documented at https://juju.is/docs. Until patching is complete, implement compensating controls: restrict Juju controller access to only essential trusted users and services via role-based access control, audit all application resource modifications through Juju controller logs for unauthorized changes, segment Juju models to limit blast radius of potential resource tampering (compromised model cannot affect others), and monitor for unexpected resource state changes using Juju status monitoring. Note that restricting network access to the controller API (typically port 17070) provides limited value since exploitation requires authenticated access rather than network reachability alone. No configuration-based workaround fully mitigates the authorization bypass-upgrade is the definitive remediation.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209211
GHSA-245v-p8fj-vwm2