CVE-2025-68153 — Incorrect Authorization in Juju Juju

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 97.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Juju Juju Juju

Timeline

PublishedApr 3

Latest updateApr 6

Description

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gogithub.com/juju_juju< 0.0.0-20260120044552-26ff93c903d5

▶CVEListV5juju/juju>= 2.9, < 2.9.56, >= 3.6, < 3.6.19+1

🔴Vulnerability Details

OSV

Juju has a resource poisoning vulnerability in github.com/juju/juju↗2026-04-06

▶

CVEList

Juju: Resource poisoning↗2026-04-03

▶

OSV

Juju has a resource poisoning vulnerability↗2026-04-03

▶

GHSA

Juju has a resource poisoning vulnerability↗2026-04-03

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68153 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶