Description
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
Published: 2026-04-03
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Unauthorized resource modification within controller
Action: Immediate Patch
AI Analysis

Impact

Resource poisoning allows an authenticated user, machine or controller to modify the resources of any application located within a Juju controller. This results in unauthorized changes to application configuration or deployment which can lead to loss of control over the application, potential service interruption, and misuse of resources. The weakness is an access control flaw described by CWE‑863.

Affected Systems

Juju installations running versions 2.9.0 through 2.9.55 and 3.6.0 through 3.6.18 are vulnerable. All users or machines authenticated against any Juju controller can exploit the vulnerability, affecting every application managed by that controller.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The exploit probability is not documented, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to authenticate to the controller to manipulate resources; thus the vector is authenticated user access. Once accessed, the attacker can alter any application’s resource settings, potentially causing service disruption or other impacts. The risk is significant for environments that rely on strict access controls.

Generated by OpenCVE AI on April 3, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Juju to version 2.9.56 or later
  • Upgrade Juju to version 3.6.19 or later

Generated by OpenCVE AI on April 3, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-245v-p8fj-vwm2 Juju has a resource poisoning vulnerability
History

Sat, 04 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Juju
Juju juju
Vendors & Products Juju
Juju juju

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
Title Juju: Resource poisoning
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Juju Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:16:56.632Z

Reserved: 2025-12-15T20:13:34.486Z

Link: CVE-2025-68153

cve-icon Vulnrichment

Updated: 2026-04-04T03:16:52.887Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:23.357

Modified: 2026-04-03T16:16:23.357

Link: CVE-2025-68153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:18Z

Weaknesses