CVE-2025-68153
published 2026-04-03CVE-2025-68153: Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.23%
13.9th percentile
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | 2.9 – 2.9.55 | — |
| canonical | juju | 3.6 – 3.6.18 | — |
| github.com | juju_juju | >= 0 < 0.0.0-20260120044552-26ff93c903d5 | 0.0.0-20260120044552-26ff93c903d5 |
| juju | juju | — | — |
| juju | juju | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju has a resource poisoning vulnerability in github.com/juju/juju
osv·2026-04-06
CVE-2025-68153 Juju has a resource poisoning vulnerability in github.com/juju/juju
Juju has a resource poisoning vulnerability in github.com/juju/juju
Juju has a resource poisoning vulnerability in github.com/juju/juju.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/juju/juju from v2.9 before v2.9.56, from v3.6 before v3.6.19.
OSV
Juju has a resource poisoning vulnerability
osv·2026-04-03
CVE-2025-68153 [HIGH] Juju has a resource poisoning vulnerability
Juju has a resource poisoning vulnerability
### Summary
Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller.
This one is very straightforward to just read in the code:
**Step 1:**
The authorisation mechanism for the resource handler is defined [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/internal/handlers/resources/resources.go#L77). One is only required to have been authed as either a user, machine or controller to pass this check. One requires no permissions on the controller nor does one need any further permissions on the models themselves.
This handler is available under the following path format `/:modeluuid/applications/:application/resources/:
GHSA
Juju has a resource poisoning vulnerability
ghsa·2026-04-03
CVE-2025-68153 [HIGH] CWE-863 Juju has a resource poisoning vulnerability
Juju has a resource poisoning vulnerability
### Summary
Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller.
This one is very straightforward to just read in the code:
**Step 1:**
The authorisation mechanism for the resource handler is defined [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/internal/handlers/resources/resources.go#L77). One is only required to have been authed as either a user, machine or controller to pass this check. One requires no permissions on the controller nor does one need any further permissions on the models themselves.
This handler is available under the following path format `/:modeluuid/applications/:application/resources/:
No detection rules found.
No public exploits indexed.
2026-04-03
Published