CVE-2025-68152
Unauthorized Log File Access in Juju Controller Workloads
Publication date: 2026-04-03
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | juju | From 2.9 (inc) to 2.9.55 (inc) |
| canonical | juju | From 3.6 (inc) to 3.6.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2025-68152 allows a compromised workload machine under a Juju controller to read any log file for any entity in any model at any log level, including debug and trace logs. These logs may contain sensitive information that could be used for further attacks.
Unauthorized access to sensitive log data can lead to exposure of personal or confidential information, which may violate data protection requirements in standards and regulations such as GDPR and HIPAA.
Therefore, this vulnerability could negatively impact compliance by enabling unauthorized disclosure of sensitive data, undermining confidentiality and access control requirements mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2025-68152 is a vulnerability in Juju, an open source application orchestration engine. It affects Juju controller versions from 2.9 up to but not including 2.9.56, and from 3.6 up to but not including 3.6.19. The issue allows a compromised workload machine under a Juju controller to read any log file for any entity in any model at any log level.
This happens because of insufficient authorization checks on a debug log endpoint in the Juju API server that streams controller logs. Specifically, a compromised machine agent can use credentials found on the machine to authenticate and retrieve debug logs from any part of the controller environment, including logs from the controller, models, and charms. These logs may contain sensitive information that could be used for further attacks.
How can this vulnerability impact me? :
If an attacker compromises a workload machine under a Juju controller, they can exploit this vulnerability to access all log files across all models and entities at any log level. This unauthorized access to logs can expose sensitive information such as debug and trace data, which may include credentials, configuration details, or other information useful for escalating attacks or gaining deeper access within the infrastructure.
This lateral movement within the controller environment can lead to further compromise of the system, potentially affecting the confidentiality and integrity of applications managed by Juju.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any workload machine under a Juju controller is able to access the debug log endpoint of the Juju API server without proper authorization. Specifically, an attacker might use credentials found in the compromised machineβs agent.conf file to authenticate and retrieve debug logs from any part of the controller.
To detect potential exploitation, you can monitor access logs of the Juju API server for unusual or unauthorized requests to the `/log` HTTP endpoint, especially those authenticated as machine agents.
Suggested commands include inspecting the agent.conf file on workload machines to see if credentials could be compromised, and using network monitoring tools to detect HTTP requests to the `/log` endpoint.
- Check for presence of agent.conf files on workload machines and review their contents for credentials.
- Use network monitoring or packet capture tools (e.g., tcpdump, Wireshark) to filter HTTP requests to the Juju controller's `/log` endpoint.
- Review Juju API server logs for access attempts to the `/log` endpoint, focusing on authentication as machine agents or unusual access patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Juju to a patched version where this vulnerability is fixed. Specifically, upgrade to Juju versions 2.9.56 or later in the 2.9 series, or 3.6.19 or later in the 3.6 series.
The patch enforces stricter authorization checks on the debug-log API endpoint, requiring explicit read permissions on the model, thus preventing unauthorized access to logs.
Until the upgrade can be applied, restrict access to the Juju API server and its `/log` endpoint to trusted users only, and monitor for suspicious activity.
- Upgrade Juju controller to version 2.9.56, 3.6.19, or later.
- Restrict network access to the Juju API server, especially the `/log` endpoint.
- Audit and rotate credentials found in agent.conf files on workload machines.
- Monitor Juju API server logs for unauthorized access attempts.