Github.Com Juju Juju vulnerabilities

CVE-2026-5412 [CRITICAL] CWE-285 Juju: CloudSpec method leaking cloud credentials Juju: CloudSpec method leaking cloud credentials ### Impact If a user has login permission to a controller and knows the controller model UUID, they can call the CloudSpec method on the Controller facade and get cloud credentials used to bootstrap the controller. The CloudSpec API is called by workers running in the controller to maintain connection to the cloud - this aspect is not the issue. The API is also ca

CVE-2026-5774 [MEDIUM] CWE-362 Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence ### Summary The localLoginHandlers struct in the Juju API server maintains an in-memory map to store discharge tokens following successful local authentication. This map is accessed concurrently from multiple HTTP handler goroutines without any synchronization primitive protecting it. T

CVE-2025-68153 [HIGH] CWE-863 Juju has a resource poisoning vulnerability Juju has a resource poisoning vulnerability ### Summary Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This one is very straightforward to just read in the code: **Step 1:** The authorisation mechanism for the resource handler is defined [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserv

CVE-2025-68152 [MEDIUM] CWE-863 Juju: Read All Controller Logs From Compromised Workload Juju: Read All Controller Logs From Compromised Workload ### Summary It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authentication and either be a machine agent, controller agent,

CVE-2026-4370 [CRITICAL] CWE-287 Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster ### Impact Any Juju controller since 3.2.0. An attacker with only route-ability to the target juju controller Dqlite cluster endpoint may join the Dqlite cluster, read and modify all information, including escalating privileges, open firewall ports etc. This is du

CVE-2026-32693 [HIGH] CWE-284 Juju has unauthorized access to out-of-scope Kubernetes secrets Juju has unauthorized access to out-of-scope Kubernetes secrets ### Summary Grantee is able to update secret content using the `secret-set` tool due to broad Kubernetes access policy. Implications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value. ### Details When a J

CVE-2026-32692 [HIGH] CWE-285 Juju has unauthorized update of out-of-scope Vault secrets Juju has unauthorized update of out-of-scope Vault secrets An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end. ### Impact

CVE-2026-32691 [MEDIUM] CWE-708 Juju affected by timing ownership claim attack on new external back-end secrets Juju affected by timing ownership claim attack on new external back-end secrets A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can c

CVE-2026-32694 [MEDIUM] CWE-343 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets ### Summary Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads. ### Details A Juju application can create a secret and grant it to another integrated application (grantee). When they do so, the secret owner has to communica

CVE-2026-1237 [LOW] CWE-347 Juju has broken CMR authorization Juju has broken CMR authorization ### Impact Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid. ### Scenario A user kno

CVE-2025-0928 [HIGH] CWE-285 Juju allows arbitrary executable uploads via authenticated endpoint without authorization Juju allows arbitrary executable uploads via authenticated endpoint without authorization ### Summary You can affect the agent binaries used in a Juju controller and the code that is run in the binaries by simply having a user account on a controller. You aren't required to have a model or any permissions. This just requires a user account in the controller database. ### Detai

CVE-2025-53513 [HIGH] CWE-22 Juju zip slip vulnerability via authenticated endpoint Juju zip slip vulnerability via authenticated endpoint ### Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to get access to a machine running a unit using the affected

CVE-2025-53512 [MEDIUM] CWE-200 Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization ### Impact Any user with a Juju account on a controller can read debug log messages from the `/log` endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. ### D

CVE-2024-7558 [MEDIUM] CWE-1391 JUJU_CONTEXT_ID is a predictable authentication secret JUJU_CONTEXT_ID is a predictable authentication secret `JUJU_CONTEXT_ID` is the authentication measure on the unit hook tool abstract domain socket. It looks like `JUJU_CONTEXT_ID=appname/0-update-status-6073989428498739633`. This value looks fairly unpredictable, but due to the random source used, it is highly predictable. `JUJU_CONTEXT_ID` has the following components: - the application name - the unit nu

CVE-2024-8037 [MEDIUM] CWE-284 Vulnerable juju hook tool abstract UNIX domain socket Vulnerable juju hook tool abstract UNIX domain socket ### Impact When combined with an attack of `JUJU_CONTEXT_ID`, any user on the local system with access to the default network namespace may connect to the `@/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket` and perform actions that are normally reserved to a juju charm. ### Patches Patch: https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0

CVE-2024-8038 [MEDIUM] Vulnerable juju introspection abstract UNIX domain socket Vulnerable juju introspection abstract UNIX domain socket ### Impact An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running. On a juju controller agent, denial of service can be performed by using the `/leases/revoke` endpoint. Revoking leases in juju can cause availability issue

CVE-2023-0092 [MEDIUM] CWE-22 Juju controller - Arbitrary file reading vulnerability Juju controller - Arbitrary file reading vulnerability ### Impact An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem. ### Patches Patched in juju 2.9.38 and juju 3.0.3 [juju/juju#ef803e2](https://github.com/juju/juju/commit/ef803e2a13692d355b784b7da8b4b1f01dab1556) ### Workarounds Limit read acce

CVE-2017-9232 [CRITICAL] CWE-862 Juju uses a UNIX domain socket without setting appropriate permissions Juju uses a UNIX domain socket without setting appropriate permissions Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.