CVE-2026-5412 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-5412 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-5412 is an authorization bypass vulnerability in the Controller facade of Canonical Juju, the open-source application orchestration platform, affecting versions prior to 2.9.57 and 3.6.21.

Technical Detail

The flaw exists in the CloudSpec API method exposed through Juju's Controller facade, where insufficient authorization checks allow any authenticated user, regardless of privilege level, to invoke the method and retrieve cloud credentials associated with the bootstrapped controller. An attacker with only basic authenticated access to a Juju controller can extract cloud provider credentials, which typically include API keys or service account tokens granting broad access to the underlying infrastructure such as AWS, Azure, GCP, or OpenStack environments. The practical impact is credential theft leading to full cloud environment compromise, representing a critical privilege escalation and lateral movement risk beyond the Juju deployment itself.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning no public proof-of-concept or weaponized tooling has been confirmed. However, the attack requires only valid authentication credentials and involves calling a documented API method, which significantly lowers the barrier to exploitation by any authenticated user with knowledge of the flaw.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been confirmed in connection with this vulnerability. Given the nature of the flaw, cloud-focused threat actors and opportunistic attackers with access to Juju environments would be the most likely to attempt exploitation if awareness of the vulnerability increases.

What To Do

Organizations running Juju should upgrade immediately to version 2.9.57 or later on the 2.9 track, or to version 3.6.21 or later on the 3.x track. Given the CVSS score of 9.9 and the direct path from authenticated access to cloud credential extraction, this should be treated as a high-priority patch. Administrators should audit Juju controller access logs for unexpected or unauthorized calls to the CloudSpec API method as a detection signal. If immediate patching is not possible, restrict controller access to the minimum necessary set of authenticated users and review all existing user accounts for necessity. Cloud provider credentials used by affected Juju controllers should be rotated following patching as a precautionary measure, particularly if any unauthorized access to the controller cannot be ruled out.