{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5412", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T07:07:23.750Z", "datePublished": "2026-04-10T12:22:05.403Z", "dateUpdated": "2026-04-10T14:04:30.155Z"}, "containers": {"cna": {"title": "Juju CloudSpec API could leak senstive information", "affected": [{"vendor": "Canonical", "product": "Juju", "platforms": ["Linux"], "collectionURL": "https://github.com/juju/", "packageName": "juju", "repo": "https://github.com/juju/juju", "versions": [{"status": "affected", "version": "2.9.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.6.0", "lessThan": "3.6.21", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37: Retrieve Embedded Sensitive Data"}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969", "name": "CloudSpec method leaking cloud credentials", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Ales Stimec", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:22:05.403Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:03:51.021044Z", "id": "CVE-2026-5412", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:04:30.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T14:03:51.021044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:04:08.292Z"}}], "cna": {"title": "Juju CloudSpec API could leak senstive information", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Ales Stimec"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37: Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical", "product": "Juju", "versions": [{"status": "affected", "version": "2.9.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.6.0", "lessThan": "3.6.21", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "juju", "collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969", "name": "CloudSpec method leaking cloud credentials", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:22:05.403Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5412", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:04:30.155Z", "dateReserved": "2026-04-02T07:07:23.750Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-10T12:22:05.403Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2161D9F-0627-4EAF-A6FD-81B9056D31FC", "versionEndExcluding": "2.9.57", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "2966CF99-1F57-40F3-8EFA-161BF47644DB", "versionEndExcluding": "3.6.21", "versionStartIncluding": "3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."}], "id": "CVE-2026-5412", "lastModified": "2026-04-30T15:18:26.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T13:16:45.780", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/juju/juju/pull/22205"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/juju/juju/pull/22206"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2.9.0,2.9.57)"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.0,3.6.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Juju", "source": "cna", "vendor": "Canonical"}, "product": "juju", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-04-10T13:50:40.735913+00:00", "value": {"mitigation_remediation": ["Upgrade Juju to version 2.9.57 or later, or to Juju 3.6.21 or later", "Verify that the upgrade was successful and that no older controller forms remain"], "summary": {"action": "Immediate Patch", "impact": "Sensitive credential disclosure"}, "threat_synthesis": {"affected_systems": "Canonical Juju is affected. Versions prior to 2.9.57 and 3.6.21 have the flaw. Upgrading to Juju 2.9.57 or later, or to Juju 3.6.21 or later, resolves the issue.", "description_and_impact": "An authorization flaw in Juju\u2019s Controller facade allows an authenticated user to invoke the CloudSpec API and retrieve the cloud credentials that were used to bootstrap the controller. The vulnerability exposes sensitive credential data to a low\u2011privileged user, resulting in a severe confidentiality breach. The weakness is classed as improper authorization (CWE\u2011285).", "risk_and_exploitability": "The CVSS score of 9.9 indicates critical severity. While an EPSS score was not provided, the vulnerability is not listed in the CISA KEV catalog, suggesting no active exploit reported. An attacker only needs authenticated access with low privileges and can exploit the CloudSpec API to pull credentials. The attack vector is internal to the Juju platform and does not require additional network exposure. Prompt patching is therefore essential to mitigate potential compromise of cloud accounts."}}}}, "created": "2026-04-10T14:40:45.960734+00:00", "updated": "2026-04-13T13:06:04.482633+00:00", "vendors": ["canonical", "canonical$PRODUCT$juju"]}