CVE-2026-5412

CVSS v3.1

9.9

Critical

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

Fix

LPE

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

CVE-2026-5412

Affected Products

Juju

CVE-2026-5412

Weakness Enumeration

Related Identifiers

Affected Products

References · 8