CVE-2026-5412
CRITICALJuju CloudSpec API could leak senstive information
Title source: cnaDescription
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
References (3)
Core 3
Core References
Vendor Advisory vdb-entry
vendor-advisory
CloudSpec method leaking cloud credentials
https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969
Patch patch
issue-tracking
https://github.com/juju/juju/pull/22206
Patch patch
issue-tracking
https://github.com/juju/juju/pull/22205
Scores
CVSS v3
9.9
EPSS
0.0044
EPSS Percentile
35.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
Status
published
Products (4)
canonical/juju
< 2.9.57
Canonical/Juju
2.9.0 - 2.9.57
Canonical/Juju
3.6.0 - 3.6.21
juju/juju
0 - 0.0.0-20260408003526-d395054dc2c3Go
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026