PT-2026-31912 · Canonical · Juju
Ales Stimec
·
Published
2026-04-10
·
Updated
2026-05-14
·
CVE-2026-5412
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Juju versions prior to 2.9.57 and 3.6.21
Description
Juju versions prior to 2.9.57 and 3.6.21 contain an authorization issue in the Controller facade. An authenticated user can call the
CloudSpec API method to extract cloud credentials used for bootstrapping the controller. This allows a low-privileged user to access sensitive credentials.Recommendations
Update to Juju version 2.9.57 or later.
Update to Juju version 3.6.21 or later.
Exploit
Fix
LPE
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Juju