CVE-2025-68152
published 2026-04-03CVE-2025-68152: Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators…
PriorityP427medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.36%
28.1th percentile
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | 2.9 – 2.9.55 | — |
| canonical | juju | 3.6 – 3.6.18 | — |
| github.com | juju_juju | >= 0 < 0.0.0-20250623030540-c91a1f404695 | 0.0.0-20250623030540-c91a1f404695 |
| juju | juju | — | — |
| juju | juju | — | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju: Read All Controller Logs From Compromised Workload
osv·2026-04-03
CVE-2025-68152 [MEDIUM] Juju: Read All Controller Logs From Compromised Workload
Juju: Read All Controller Logs From Compromised Workload
### Summary
It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level.
There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authentication and either be a machine agent, controller agent, controller admin or have model read permission.
The problematic is the machine agent story. The rest of the other checks have a high enough degree of safety that an attacker can not move side ways in the controller when obtaining log files.
### Details
A compromised workload machine is capable of obtaining logs for both the controller and any model under the controller at any log leve
GHSA
Juju: Read All Controller Logs From Compromised Workload
ghsa·2026-04-03
CVE-2025-68152 [MEDIUM] CWE-863 Juju: Read All Controller Logs From Compromised Workload
Juju: Read All Controller Logs From Compromised Workload
### Summary
It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level.
There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authentication and either be a machine agent, controller agent, controller admin or have model read permission.
The problematic is the machine agent story. The rest of the other checks have a high enough degree of safety that an attacker can not move side ways in the controller when obtaining log files.
### Details
A compromised workload machine is capable of obtaining logs for both the controller and any model under the controller at any log leve
No detection rules found.
No public exploits indexed.
2026-04-03
Published