DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68152: CVE-2025-68152: Cross-Model Log Leakage via Incorrect Authorization in Juju API

#security #cve #cybersecurity

CVE-2025-68152: Cross-Model Log Leakage via Incorrect Authorization in Juju API

Vulnerability ID: CVE-2025-68152
CVSS Score: 6.9
Published: 2026-04-03

Juju versions 2.9 (prior to 2.9.56) and 3.6 (prior to 3.6.19) suffer from an incorrect authorization vulnerability in the API server. An attacker compromising a single workload machine can use local agent credentials to bypass model isolation and stream debug logs across the entire deployment, including the central controller.

TL;DR

Missing scope validation in the Juju API allows a compromised machine agent to read logs from any model, exposing cross-environment secrets.

Technical Details

  • CWE: CWE-863: Incorrect Authorization
  • Attack Vector: Network
  • Privileges Required: High (Compromised Workload Agent)
  • CVSS v4.0: 6.9 (Medium)
  • Impact: Cross-Model Information Disclosure (Secrets Leakage)
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • Juju Application Orchestration Engine
  • Juju: >= 2.9, < 2.9.56 (Fixed in: 2.9.56)
  • Juju: >= 3.6, < 3.6.19 (Fixed in: 3.6.19)

Code Analysis

Commit: 22cdcf6

Auth Refactor: Restructuring of the authorization logic underlying the API endpoints.

Commit: c91a1f4

DebugLog Scoping: Implementation of CompositeAuthorizer and modelPermissionAuthorizer for the debuglog endpoint.

Commit: 1a8d84e

Synthetic Applications: Additional checks to prevent cross-model leakage via proxy application objects.

Mitigation Strategies

  • Upgrade Juju controller and agents to patched versions (2.9.56 or 3.6.19)
  • Implement network segmentation to restrict workload access to the Juju controller API
  • Monitor API request logs for cross-model DebugLog access anomalies
  • Rotate machine agent credentials on any suspected compromised workload

Remediation Steps:

  1. Verify the current Juju controller version using the juju status command.
  2. Schedule a maintenance window for controller and agent upgrades.
  3. Execute the upgrade process to deploy version 2.9.56 or 3.6.19 depending on the active release branch.
  4. Verify that all machine agents successfully reconnect to the patched controller.
  5. Audit existing controller logs to identify any historical indicators of compromise or unauthorized log streaming.

References

Read the full report for CVE-2025-68152 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)