Description
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Published: 2026-04-10
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive credential disclosure
Action: Immediate Patch
AI Analysis

Impact

An authorization flaw in Juju’s Controller facade allows an authenticated user to invoke the CloudSpec API and retrieve the cloud credentials that were used to bootstrap the controller. The vulnerability exposes sensitive credential data to a low‑privileged user, resulting in a severe confidentiality breach. The weakness is classed as improper authorization (CWE‑285).

Affected Systems

Canonical Juju is affected. Versions prior to 2.9.57 and 3.6.21 have the flaw. Upgrading to Juju 2.9.57 or later, or to Juju 3.6.21 or later, resolves the issue.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. While an EPSS score was not provided, the vulnerability is not listed in the CISA KEV catalog, suggesting no active exploit reported. An attacker only needs authenticated access with low privileges and can exploit the CloudSpec API to pull credentials. The attack vector is internal to the Juju platform and does not require additional network exposure. Prompt patching is therefore essential to mitigate potential compromise of cloud accounts.

Generated by OpenCVE AI on April 10, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Juju to version 2.9.57 or later, or to Juju 3.6.21 or later
  • Verify that the upgrade was successful and that no older controller forms remain

Generated by OpenCVE AI on April 10, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5fq-8965-c969 Juju: CloudSpec method leaking cloud credentials
History

Thu, 30 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical juju
Vendors & Products Canonical
Canonical juju

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Title Juju CloudSpec API could leak senstive information
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Canonical Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-10T14:04:30.155Z

Reserved: 2026-04-02T07:07:23.750Z

Link: CVE-2026-5412

cve-icon Vulnrichment

Updated: 2026-04-10T14:04:08.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T13:16:45.780

Modified: 2026-04-30T15:18:26.430

Link: CVE-2026-5412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:04Z

Weaknesses