CVE-2025-68152
Received Received - Intake
Unauthorized Log File Access in Juju Controller Workloads

Publication date: 2026-04-03

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called β€˜charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68152
EUVD
EUVD-2025-209209
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
canonical juju From 2.9 (inc) to 2.9.55 (inc)
canonical juju From 3.6 (inc) to 3.6.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2025-68152 allows a compromised workload machine under a Juju controller to read any log file for any entity in any model at any log level, including debug and trace logs. These logs may contain sensitive information that could be used for further attacks.

Unauthorized access to sensitive log data can lead to exposure of personal or confidential information, which may violate data protection requirements in standards and regulations such as GDPR and HIPAA.

Therefore, this vulnerability could negatively impact compliance by enabling unauthorized disclosure of sensitive data, undermining confidentiality and access control requirements mandated by these regulations.

Executive Summary

CVE-2025-68152 is a vulnerability in Juju, an open source application orchestration engine. It affects Juju controller versions from 2.9 up to but not including 2.9.56, and from 3.6 up to but not including 3.6.19. The issue allows a compromised workload machine under a Juju controller to read any log file for any entity in any model at any log level.

This happens because of insufficient authorization checks on a debug log endpoint in the Juju API server that streams controller logs. Specifically, a compromised machine agent can use credentials found on the machine to authenticate and retrieve debug logs from any part of the controller environment, including logs from the controller, models, and charms. These logs may contain sensitive information that could be used for further attacks.

Impact Analysis

If an attacker compromises a workload machine under a Juju controller, they can exploit this vulnerability to access all log files across all models and entities at any log level. This unauthorized access to logs can expose sensitive information such as debug and trace data, which may include credentials, configuration details, or other information useful for escalating attacks or gaining deeper access within the infrastructure.

This lateral movement within the controller environment can lead to further compromise of the system, potentially affecting the confidentiality and integrity of applications managed by Juju.

Detection Guidance

This vulnerability can be detected by checking if any workload machine under a Juju controller is able to access the debug log endpoint of the Juju API server without proper authorization. Specifically, an attacker might use credentials found in the compromised machine’s agent.conf file to authenticate and retrieve debug logs from any part of the controller.

To detect potential exploitation, you can monitor access logs of the Juju API server for unusual or unauthorized requests to the `/log` HTTP endpoint, especially those authenticated as machine agents.

Suggested commands include inspecting the agent.conf file on workload machines to see if credentials could be compromised, and using network monitoring tools to detect HTTP requests to the `/log` endpoint.

  • Check for presence of agent.conf files on workload machines and review their contents for credentials.
  • Use network monitoring or packet capture tools (e.g., tcpdump, Wireshark) to filter HTTP requests to the Juju controller's `/log` endpoint.
  • Review Juju API server logs for access attempts to the `/log` endpoint, focusing on authentication as machine agents or unusual access patterns.
Mitigation Strategies

The primary mitigation step is to upgrade Juju to a patched version where this vulnerability is fixed. Specifically, upgrade to Juju versions 2.9.56 or later in the 2.9 series, or 3.6.19 or later in the 3.6 series.

The patch enforces stricter authorization checks on the debug-log API endpoint, requiring explicit read permissions on the model, thus preventing unauthorized access to logs.

Until the upgrade can be applied, restrict access to the Juju API server and its `/log` endpoint to trusted users only, and monitor for suspicious activity.

  • Upgrade Juju controller to version 2.9.56, 3.6.19, or later.
  • Restrict network access to the Juju API server, especially the `/log` endpoint.
  • Audit and rotate credentials found in agent.conf files on workload machines.
  • Monitor Juju API server logs for unauthorized access attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68152. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart