Skip to main content

Juju CVE-2026-5412

| EUVDEUVD-2026-21364 CRITICAL
Improper Authorization (CWE-285)
2026-04-10 canonical GHSA-w5fq-8965-c969
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 12:45 euvd
EUVD-2026-21364
Analysis Generated
Apr 10, 2026 - 12:45 vuln.today
Patch released
Apr 10, 2026 - 12:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 12:22 nvd
CRITICAL 9.9

DescriptionCVE.org

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

AnalysisAI

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.

Technical ContextAI

CWE-285 improper authorization flaw in Controller facade's CloudSpec method permits authenticated users (CVSS PR:L) to bypass privilege checks and retrieve controller bootstrap credentials. Network-vector (AV:N), cross-scope impact (S:C) enables cloud infrastructure compromise beyond Juju itself. Root cause: missing authorization enforcement on sensitive credential-retrieval API.

RemediationAI

Vendor-released patch: Juju 2.9.57 (for 2.9.x branch) and 3.6.21 (for 3.6.x branch). Upgrade immediately via standard package management or download from official Canonical repositories. Patches available at https://github.com/juju/juju/pull/22206 and https://github.com/juju/juju/pull/22205. Interim mitigation: restrict network access to Juju controller API endpoints via firewall rules limiting connections to trusted administrative hosts only. Audit existing user permissions; revoke low-privilege accounts with controller access. Review cloud provider audit logs for unauthorized credential usage. Full advisory: https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-32693 HIGH
8.8 Mar 18

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68153 HIGH
7.1 Apr 03

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to

CVE-2025-68152 MEDIUM
6.9 Apr 03

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r

CVE-2026-32694 MEDIUM
6.6 Mar 18

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to

Share

CVE-2026-5412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy