Canonical · Juju · CVE-2026-5412
Name of the Vulnerable Software and Affected Versions
Juju versions prior to 2.9.57 and 3.6.21
Description
Juju versions prior to 2.9.57 and 3.6.21 contain an authorization issue in the Controller facade. An authenticated user can call the `CloudSpec` API method to extract cloud credentials used for bootstrapping the controller. This allows a low-privileged user to access sensitive credentials.
Recommendations
Update to Juju version 2.9.57 or later.
Update to Juju version 3.6.21 or later.