CVE-2026-5412
Last modified
CVE-2026-5412 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. EPSS estimates a 0.45% chance of exploitation in the next 30 days.
Description
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Juju | < 2.9.57 |
| Canonical | Juju | >= 3.6, < 3.6.21 |
References
- https://github.com/juju/juju/pull/22205Issue Tracking, Patch
- https://github.com/juju/juju/pull/22206Issue Tracking, Patch
- https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-5412?
How severe is CVE-2026-5412?
How do I fix CVE-2026-5412?
Are you affected by CVE-2026-5412?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST