CVE-2025-68152 — Incorrect Authorization in Juju Juju

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 97.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Juju Juju Juju

Timeline

PublishedApr 3

Description

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gogithub.com/juju_juju< 0.0.0-20250623030540-c91a1f404695

▶CVEListV5juju/juju>= 2.9, < 2.9.56, >= 3.6, < 3.6.19+1

🔴Vulnerability Details

CVEList

Juju: Read All Controller Logs From Compromised Workload↗2026-04-03

▶

OSV

Juju: Read All Controller Logs From Compromised Workload↗2026-04-03

▶

GHSA

Juju: Read All Controller Logs From Compromised Workload↗2026-04-03

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68152 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶