CVE-2026-5412 PUBLISHED

Juju CloudSpec API could leak senstive information

Assigner: canonical
Reserved: 02.04.2026 Published: 10.04.2026 Updated: 10.04.2026

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Canonical
Product	Juju
Versions	Default: unaffected affected from 2.9.0 to 2.9.57 (excl.) affected from 3.6.0 to 3.6.21 (excl.)

Credits

Ales Stimec finder

References

Problem Types

CWE-285: Improper Authorization CWE

Impacts

CAPEC-37: Retrieve Embedded Sensitive Data