Authorization Bypass

github.com/juju/juju is vulnerable to Authorization Bypass. The vulnerability is due to insufficient authorization checks in the Controller facade CloudSpec API method, which allows a low-privileged authenticated attacker to access sensitive cloud credentials...

CVE-2026-5412

CVE-2026-5412 (Juju) : An authorization issue in the Juju Controller facade allows an authenticated, low-privileged user to call the CloudSpec API and extract cloud credentials used to bootstrap the controller. This affects Juju versions prior to 2.9.57 and 3.6.21. The issue is mitigated by upgra...

EUVD-2025-209211

Juju has a resource poisoning vulnerability...

EUVD-2025-209209

Juju: Read All Controller Logs From Compromised Workload...

CVE-2025-68152 Juju: Read All Controller Logs From Compromised Workload

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju...

PT-2026-30121

Name of the Vulnerable Software and Affected Versions Juju versions 2.9 through 2.9.55 and 3.6 through 3.6.18 Description Juju, an application orchestration engine, allows any authenticated user, machine, or controller to modify application resources within a Juju controller. This impacts version...

EUVD-2026-17847

Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster...

CVE-2026-4370

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client...

CVE-2026-4370 Improper TLS Client/Server authentication and certificate verification on Database Cluster

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client...

CVE-2026-32692

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within...

EUVD-2026-12819

Juju has unauthorized access to out-of-scope Kubernetes secrets...

CVE-2026-32694

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...

EUVD-2025-20665

Malicious code in bioql PyPI...

SUSE CVE-2025-0928

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or...

GO-2025-3806 Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju

Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju...

GHSA-R64V-82FH-XC63 Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization

Impact Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. Details The /log endpoint ...

GHSA-24CH-W38V-XMH8 Juju zip slip vulnerability via authenticated endpoint

Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to...

Juju zip slip vulnerability via authenticated endpoint

Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to...

CVE-2025-0928 Arbitrary executable upload via authenticated endpoint

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or...

CVE-2025-0928

Summary: CVE-2025-0928 affects Juju prior to 3.6.8 and 2.9.52 where any authenticated controller user could upload arbitrary agent binaries to any model or the controller, without verifying model membership or explicit permissions, enabling distribution of poisoned binaries and potential remote c...