CVE-2026-5412 CRITICAL

CVE-2026-5412: Juju CloudSpec API could leak senstive information

Vendor Canonical

Product Juju

Weakness CWE-285

Published April 10, 2026

Last update April 10, 2026

View on NVD All CVEs

CVSS base score

9.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

Key dates

02Disclosure timeline

April 10, 2026 CVE published

April 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5412

Related vulnerabilities

04Related CVE

CVE-2026-2109 jsbroks COCO Annotator Delete Category undo improper authorization CVE-2024-12347 Guangzhou Huayi Intelligent Technology Jeewms Druid Monitoring Interface index.html improper authorization CVE-2025-12958 Rankology SEO and Analytics Tool <= 2.0 - Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation CVE-2023-28634 GLPI vulnerable to Privilege Escalation from Technician to Super-Admin CVE-2023-53895 PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint

Identifiers

CVE CVE-2026-5412

CWE CWE-285

CVSS 9.9 / CRITICAL

Affected versions

Vendor Canonical

Product Juju

Affected ≥ 2.9.0 and < 2.9.57

Vendor Canonical

Product Juju

Affected ≥ 3.6.0 and < 3.6.21