Skip to main content

Juju CVE-2025-68153

| EUVDEUVD-2025-209211 HIGH
Incorrect Authorization (CWE-863)
2026-04-03 GitHub_M GHSA-245v-p8fj-vwm2
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 21, 2026 - 01:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 01:37 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 16:00 euvd
EUVD-2025-209211
Analysis Generated
Apr 03, 2026 - 16:00 vuln.today
CVE Published
Apr 03, 2026 - 15:28 nvd
HIGH 7.1

DescriptionGitHub Advisory

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.

AnalysisAI

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to tamper with application resources across the entire controller scope. Affects Juju 2.9.0-2.9.55 and 3.6.0-3.6.18. Patched in versions 2.9.56 and 3.6.19. EPSS score of 0.01% suggests low probability of mass exploitation. No active exploitation confirmed (not in CISA KEV). Authentication requirement (PR:L) limits attack surface to compromised credentials or malicious insiders.

Technical ContextAI

Juju is Canonical's orchestration engine for deploying and managing cloud applications using 'charms' (operators). The vulnerability stems from improper authorization enforcement (CWE-863: Incorrect Authorization) in resource modification operations. Juju's architecture involves controllers managing multiple models, machines, and applications. The flaw allows privilege escalation within the controller boundary-authenticated entities (users, machine agents, or controller components) can modify application resources outside their intended authorization scope. This breaks Juju's role-based access control model, which should restrict resource operations to appropriately permissioned entities. The CPE string (cpe:2.3:a:juju:juju:*:*:*:*:*:*:*:*) confirms the core Juju engine is affected across two maintained version branches. The GitHub commit reference indicates the fix addresses authorization checks in resource handling code paths.

RemediationAI

Upgrade to Juju 2.9.56 (for 2.9.x deployments) or Juju 3.6.19 (for 3.6.x deployments). Vendor-released patches confirmed via GitHub advisory GHSA-245v-p8fj-vwm2 and commit 26ff93c903d55b0712c6fb3f6b254710edb971d4. Organizations should follow Juju's standard controller upgrade procedures documented at https://juju.is/docs. Until patching is complete, implement compensating controls: restrict Juju controller access to only essential trusted users and services via role-based access control, audit all application resource modifications through Juju controller logs for unauthorized changes, segment Juju models to limit blast radius of potential resource tampering (compromised model cannot affect others), and monitor for unexpected resource state changes using Juju status monitoring. Note that restricting network access to the controller API (typically port 17070) provides limited value since exploitation requires authenticated access rather than network reachability alone. No configuration-based workaround fully mitigates the authorization bypass-upgrade is the definitive remediation.

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-5412 CRITICAL
9.9 Apr 10

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia

CVE-2026-32693 HIGH
8.8 Mar 18

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68152 MEDIUM
6.9 Apr 03

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r

CVE-2026-32694 MEDIUM
6.6 Mar 18

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to

Share

CVE-2025-68153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy