CRITICAL🇵🇱 Wersja polska

CVE-2026-5412

CVSS 9.9v3.1pub. 2026-04-10upd. 2026-04-30

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

🤖 AI Analysis
How it works

The bug consists of improper permission verification (CWE-285) when calling the CloudSpec API method within the Controller facade. Any authenticated user — regardless of permission level — can call this method and receive cloud credentials (used during the controller bootstrap process) in the response. The authorization mechanism does not verify whether the caller has sufficient privileges to access this sensitive data.

Impact

An attacker with any authentication level can extract the controller's cloud credentials, which in practice means the ability to gain full access to cloud infrastructure resources, as well as potential takeover of the environment managed by Juju.

Mitigation & patch

Canonical Juju should be updated to version 2.9.57 (for the 2.x branch) or 3.6.21 (for the 3.x branch), where the issue has been resolved. Patches are available in the project's official repositories and described in the vendor's references.

Who is affected

Canonical Juju in versions earlier than 2.9.57 and earlier than 3.6.21

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Canonical Juju

    APP
    Canonical
    < 2.9.573.6 – 3.6.21 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-4370CRITICAL10.0PL ✓ten sam produkt

Canonical Juju: brak uwierzytelnienia TLS w klastrze Dqlite umożliwia przejęcie bazy danych

CVE-2017-9232CRITICAL9.8ten sam produkt

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appr...

CVE-2025-68153HIGH7.1ten sam produkt

Juju is an open source application orchestration engine that enables any application operation on any infrastr...

CVE-2026-32692HIGH7.6ten sam produkt

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 thro...

CVE-2026-32693HIGH8.8ten sam produkt

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correct...