CVE-2026-5412

9.9 CRITICAL

Published: April 10, 2026 Modified: April 10, 2026

Description

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/juju/juju/pull/22205

Source: security@ubuntu.com

https://github.com/juju/juju/pull/22206

Source: security@ubuntu.com

https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969

Source: security@ubuntu.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.9 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-285

Related CVEs

CVE-2026-5774 N/A

CVE-2026-5777 N/A

CVE-2026-39304 N/A

CVE-2026-31412 N/A

CVE-2026-6057 N/A