Compliance Impact

This vulnerability allows low-privileged authenticated users to extract sensitive cloud credentials used to bootstrap the Juju controller. Such unauthorized disclosure of sensitive credentials can lead to breaches of confidentiality and unauthorized access to cloud resources.

Because the vulnerability exposes highly sensitive information due to improper authorization controls, it can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict protection of sensitive data and credentials.

Organizations using affected Juju versions may face increased risk of data breaches or unauthorized access, potentially leading to violations of data protection and security requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5412 is a critical authorization vulnerability in Juju versions prior to 2.9.57 and 3.6.21. It allows an authenticated user with low privileges to call the CloudSpec API method on the Controller facade and extract sensitive cloud credentials used to bootstrap the controller.

The root cause is improper authorization where access to credential details is not restricted to controller superusers or model admins, allowing unauthorized disclosure of highly sensitive information.

This means that users who only have login permission and know the controller model UUID can retrieve confidential credentials that should only be accessible to high-privileged users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows low-privileged users to access highly sensitive cloud credentials.

With these credentials, an attacker could potentially compromise the confidentiality, integrity, and availability of the cloud environment managed by Juju.

The CVSS v3.1 base score is 9.9, indicating critical severity with network attack vector, low attack complexity, and no user interaction required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the CloudSpec API method on the Juju controller facade, which can be invoked by authenticated users with minimal permissions if they know the controller model UUID.

Detection can focus on monitoring access to the controller API port 17070, as this is the port used by the controller service and Juju CLI clients.

You can detect suspicious activity by checking for unexpected or unauthorized calls to the CloudSpec API or unusual access patterns on port 17070.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic on port 17070 and analyze for unauthorized API calls.
• On the controller machine, use commands like `netstat -tulnp | grep 17070` or `ss -tulnp | grep 17070` to verify which processes are listening on the API port.
• Review Juju controller logs for API calls to CloudSpec methods by users without superuser or model admin privileges.
• Audit user permissions and check for any low-privileged users accessing sensitive credential information.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation is to restrict network ingress to the Juju controller API port 17070 on all controller machines or the controller service in Kubernetes deployments.

This restriction should be balanced with the need for legitimate Juju CLI and client access to this port.

Additionally, ensure that only trusted users have access to the controller and that user permissions are properly managed to prevent low-privileged users from invoking the CloudSpec API.

Upgrade Juju to versions 2.9.57 or 3.6.21 (or later) as soon as patches become available, since these versions include fixes that restrict CloudSpec API credentials visibility exclusively to admin users.

Useful 0 Not Useful 0