Platform
go
Component
github.com/juju/juju
Fixed in
2.9.57
3.6.21
0.0.0-20260408003526-d395054dc2c3
CVE-2026-5412 is a critical vulnerability affecting the Juju controller, an open-source orchestration tool. An authenticated user who knows the controller model UUID can exploit this flaw to retrieve cloud credentials used for bootstrapping the controller. This exposure allows attackers to potentially compromise cloud resources. The vulnerability impacts versions prior to 0.0.0-20260408003526-d395054dc2c3, and a patch has been released.
The primary impact of CVE-2026-5412 is the unauthorized exposure of cloud credentials. An attacker, possessing valid login credentials to the Juju controller and knowledge of the controller model UUID, can leverage the CloudSpec API to extract these credentials. This API is typically used by workers within the controller and the CLI for tasks like controller destruction (juju kill-controller). Successful exploitation grants the attacker access to the underlying cloud infrastructure, enabling them to create, modify, or delete resources, potentially leading to data breaches, service disruption, and financial loss. The blast radius extends to any cloud resources managed by the compromised controller, including virtual machines, storage buckets, and databases.
CVE-2026-5412 was publicly disclosed on 2026-04-10. The vulnerability is not currently listed on KEV, and its EPSS score is pending evaluation. There are no publicly available proof-of-concept exploits at this time. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5412 is to immediately upgrade Juju controllers to version 0.0.0-20260408003526-d395054dc2c3 or later. If an immediate upgrade is not feasible, restrict access to the CloudSpec API by limiting user permissions and implementing robust authentication controls. Consider implementing a Web Application Firewall (WAF) to filter requests to the CloudSpec endpoint and block unauthorized access. Monitor controller logs for suspicious API calls, particularly those related to the CloudSpec endpoint. After upgrading, confirm the fix by attempting to access the CloudSpec API with a non-administrative user and verifying that access is denied.
Update Juju to version 2.9.57 or later, or to version 3.6.21 or later. This corrects the authorization vulnerability that allows unauthorized users to access sensitive credentials used for controller bootstrapping.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5412 is a critical vulnerability in Juju controllers that allows authenticated users to retrieve cloud credentials via the CloudSpec API, potentially leading to cloud resource compromise.
If you are using a Juju controller version prior to 0.0.0-20260408003526-d395054dc2c3, you are potentially affected by this vulnerability.
Upgrade your Juju controller to version 0.0.0-20260408003526-d395054dc2c3 or later. Restrict access to the CloudSpec API as a temporary workaround.
There are currently no publicly available proof-of-concept exploits or confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Juju project's security advisories and release notes for detailed information and updates regarding CVE-2026-5412.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.