DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5412: CVE-2026-5412: Broken Access Control in Juju API Leads to Cloud Credential Leak

#security #cve #cybersecurity

CVE-2026-5412: Broken Access Control in Juju API Leads to Cloud Credential Leak

Vulnerability ID: CVE-2026-5412
CVSS Score: 9.9
Published: 2026-04-10

CVE-2026-5412 is a critical improper authorization vulnerability within the Canonical Juju API server. Low-privileged authenticated users can bypass authorization controls via the Controller facade to extract plaintext bootstrap cloud credentials, leading to total compromise of the underlying cloud environment.

TL;DR

Authenticated attackers can exploit missing access controls in Juju's CloudSpec API method to retrieve plaintext cloud provider credentials, granting them full control over the host infrastructure.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285
  • CVSS Score: 9.9
  • Attack Vector: Network
  • Privileges Required: Low
  • Scope: Changed
  • Exploit Maturity: PoC

Affected Systems

  • Canonical Juju 2.9.x before 2.9.57
  • Canonical Juju 3.6.x before 3.6.21
  • AWS, Azure, OpenStack, and GCP environments managed by vulnerable Juju controllers
  • Juju: >= 2.9.0, < 2.9.57 (Fixed in: 2.9.57)
  • Juju: >= 3.6.0, < 3.6.21 (Fixed in: 3.6.21)

Code Analysis

Commit: 80a52cb

Main authorization fix for CloudSpec API

Commit: 8ff4880

Initial patch for related data race in login handler

Mitigation Strategies

  • Upgrade Juju controller binaries to patched versions.
  • Rotate cloud provider bootstrap credentials.
  • Enforce network-level access controls on TCP port 17070.
  • Audit and restrict Juju user accounts based on least privilege.

Remediation Steps:

  1. Identify the current version of the Juju controller using the Juju CLI.
  2. Execute the Juju upgrade-controller command to update to version 2.9.57 or 3.6.21.
  3. Generate new API credentials within the respective cloud provider (AWS, Azure, etc.).
  4. Apply the new credentials to the Juju controller configuration.
  5. Revoke and delete the old cloud provider credentials from the cloud provider IAM interface.

References

Read the full report for CVE-2026-5412 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)