CVE-2026-5412

CRITICAL

Juju CloudSpec API could leak senstive information

Title source: cna

Description

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

References (3)

[Vendor Advisory] https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969

[Patch] https://github.com/juju/juju/pull/22206

[Patch] https://github.com/juju/juju/pull/22205

Scores

CVSS v3 9.9

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-285

Status published

Products (3)

Canonical/Juju 2.9.0 - 2.9.57

Canonical/Juju 3.6.0 - 3.6.21

juju/juju 0 - 0.0.0-20260408003526-d395054dc2c3Go

Published Apr 10, 2026

Tracked Since Apr 10, 2026