DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68153: CVE-2025-68153: Incorrect Authorization Leading to Resource Poisoning in Juju Apiserver

#security #cve #cybersecurity

CVE-2025-68153: Incorrect Authorization Leading to Resource Poisoning in Juju Apiserver

Vulnerability ID: CVE-2025-68153
CVSS Score: 7.1
Published: 2026-04-03

A critical incorrect authorization vulnerability in the Juju apiserver resource management endpoint allows low-privileged, authenticated entities to bypass model boundaries. Attackers can perform cross-model resource poisoning by uploading malicious payloads, leading to remote code execution on target workloads.

TL;DR

Juju apiserver fails to enforce model-scoped authorization for resource uploads. Authenticated users can overwrite resources in any model, leading to resource poisoning and RCE on target workloads.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Network
  • CVSS 4.0: 7.1 (High)
  • Impact: Resource Poisoning / RCE
  • Exploit Status: Proof of Concept
  • Privileges Required: Low (Authenticated)

Affected Systems

  • Juju Application Orchestration Engine
  • Juju: >= 2.9.0, < 2.9.56 (Fixed in: 2.9.56)
  • Juju: >= 3.6.0, < 3.6.19 (Fixed in: 3.6.19)

Code Analysis

Commit: 26ff93c

Fix for resource upload authorization, implementing separation of handlers and explicit WriteAccess checks

Mitigation Strategies

  • Upgrade Juju controllers to the official patched versions (2.9.56 or 3.6.19).
  • Restrict network access to the Juju apiserver using firewall rules.
  • Enforce least-privilege principles for machine agents and authentication entities.
  • Audit logs for anomalous HTTP PUT requests to resource endpoints.

Remediation Steps:

  1. Identify the current branch of the deployed Juju controllers.
  2. Download the respective patch (2.9.56 for 2.9 branch, 3.6.19 for 3.6 branch).
  3. Apply the controller upgrade using the standard juju upgrade-controller workflow.
  4. Verify the version upgrade and monitor controller health.
  5. Implement log alerts for cross-model PUT requests.

References

Read the full report for CVE-2025-68153 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)