Description
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
References (1)
Core 1
Core References
Exploit, Vendor Advisory
https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv
Scores
CVSS v3
8.8
EPSS
0.0088
EPSS Percentile
75.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
CWE-434
Status
published
Products (2)
canonical/juju
< 2.9.52
juju/juju
0 - 0.0.0-20250619215741-4034aa13c7cfGo
Published
Jul 08, 2025
Tracked Since
Feb 18, 2026