Critical severity9.9NVD Advisory· Published Apr 10, 2026· Updated Apr 30, 2026
CVE-2026-5412
CVE-2026-5412
Description
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/juju/jujuGo | < 0.0.0-20260408003526-d395054dc2c3 | 0.0.0-20260408003526-d395054dc2c3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/juju/juju/pull/22205nvdIssue TrackingPatchWEB
- github.com/juju/juju/pull/22206nvdIssue TrackingPatchWEB
- github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-w5fq-8965-c969ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-5412ghsaADVISORY
News mentions
0No linked articles in our index yet.