CVE-2026-5412

Received

Published: 10 Apr 2026, 12:22

Last modified:10 Apr 2026, 14:04

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.9 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Apr 2026, 12:22

Published

Vulnerability first disclosed

10 Apr 2026, 14:04

Last Modified

Vulnerability information updated

Description

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

CVSS Metrics

v3.1•CRITICAL•Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Techniques & Countermeasures

CWE-285•Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

canonical•juju
≥ 2.9.0, < 2.9.57 | ≥ 3.6.0, < 3.6.21