CVE-2025-68153 HIGH

CVE-2025-68153: Juju: Resource poisoning

Vendor Juju

Product juju

Weakness CWE-863 · Incorrect authorization

Published April 3, 2026

Last update April 4, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.

Key dates

02Disclosure timeline

April 3, 2026 CVE published

April 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68153

Related vulnerabilities

04Related CVE

CVE-2022-2155 A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role. CVE-2025-12555 Incorrect Authorization in GitLab CVE-2024-34701 CreateWiki vulnerable to impersonation of wiki requester CVE-2026-40914 Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission CVE-2025-8533 Incorrect Authorization of XPC Service in Fantastical.app

Identifiers

CVE CVE-2025-68153

CWE CWE-863

CVSS 7.1 / HIGH

Affected versions

Vendor Juju

Product juju

Affected >= 2.9, < 2.9.56

Vendor Juju

Product juju

Affected >= 3.6, < 3.6.19