CVE-2026-5412

CWE-2853 documents3 sources

Severity

9.9CRITICAL

EPSS

0.0%

top 88.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Juju Github.com Juju/juju

Timeline

PublishedApr 10

Description

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5canonical/juju2.9.0 — 2.9.57+1

▶Gogithub.com/juju/juju< 0.0.0-20260408003526-d395054dc2c3

🔴Vulnerability Details

GHSA

Juju: CloudSpec method leaking cloud credentials↗2026-04-10

▶

CVEList

Juju CloudSpec API could leak senstive information↗2026-04-10

▶