Description
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Published: 2026-04-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Log Data Exposure
Action: Immediate Patch
AI Analysis

Impact

A compromised workload machine under a Juju controller can read any log file for any entity in any model, bypassing normal access controls. This allows an attacker to retrieve sensitive operational information from controller logs, potentially exposing configuration details, credentials, or internal audit data. The vulnerability corresponds to missing access control checks, as categorized by CWE-863.

Affected Systems

Juju versions 2.9 through 2.9.55 and 3.6 through 3.6.18 are vulnerable. The issue was fixed in versions 2.9.56 and 3.6.19, and later releases.

Risk and Exploitability

With a CVSS score of 6.9 the risk is moderate. Exploitation requires the attacker to already have control over a workload machine connected to the controller, so it is a local compromise scenario. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. Nonetheless, the moderate severity combined with potential for sensitive data exposure warrants prompt action.

Generated by OpenCVE AI on April 3, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Juju to version 2.9.56 or later, or 3.6.19 or later.

Generated by OpenCVE AI on April 3, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j6f6-jp3p-53mw Juju: Read All Controller Logs From Compromised Workload
History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Juju
Juju juju
Vendors & Products Juju
Juju juju
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Title Juju: Read All Controller Logs From Compromised Workload
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Juju Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T20:03:45.979Z

Reserved: 2025-12-15T20:13:34.486Z

Link: CVE-2025-68152

cve-icon Vulnrichment

Updated: 2026-04-03T20:03:41.945Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:23.193

Modified: 2026-04-03T16:16:23.193

Link: CVE-2025-68152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:19Z

Weaknesses