CVE-2025-68152 Overview
CVE-2025-68152 is an Improper Authorization vulnerability affecting Juju, an open source application orchestration engine that enables application operations on any infrastructure at any scale through special operators called 'charms'. The vulnerability allows a compromised workload machine under a Juju controller to read any log file for any entity in any model at any level, leading to potential sensitive information disclosure across the entire Juju deployment.
Critical Impact
A compromised workload machine can bypass authorization controls to access log files from any entity across all models, potentially exposing sensitive configuration data, credentials, and operational information from the entire Juju infrastructure.
Affected Products
- Juju versions 2.9 to before 2.9.56
- Juju versions 3.6 to before 3.6.19
Discovery Timeline
- 2026-04-03 - CVE CVE-2025-68152 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2025-68152
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how the Juju API server validates user permissions when accessing log streams and debug log endpoints. The issue stems from insufficient authorization checks that fail to properly verify whether a requesting entity has the necessary permissions to access log files belonging to other entities or models.
In the vulnerable configuration, the debug log authorization mechanism allowed any authenticated machine or agent to access log endpoints without properly validating model-level permissions. This means a compromised workload machine could leverage its existing authentication to request and receive log data from entities it should not have access to, including logs from other models entirely.
Root Cause
The root cause lies in the authorization logic within the Juju API server's handling of the /log endpoint and log stream functionality. The debuglogAuth authorizer composition did not properly enforce model-level permission checks, specifically missing the requirement for permission.ReadAccess validation in certain code paths. The fix introduces proper model permission authorization by ensuring the modelPermissionAuthorizer is correctly integrated into the authorization chain.
Attack Vector
An attacker who has compromised a workload machine within a Juju deployment can exploit this vulnerability through the network by making authenticated requests to the log stream endpoint. Since the authorization checks were insufficient, the attacker can request log files for any entity across any model in the Juju controller, regardless of their actual permissions. This requires network access to the Juju API server and an existing compromised machine credential, but does not require user interaction.
// Security patch from apiserver/apiserver.go
// This fix ensures proper model permission authorization for debug-log access
healthHandler := srv.monitoredHandler(http.HandlerFunc(srv.healthHandler), "health")
logStreamHandler := srv.monitoredHandler(newLogStreamEndpointHandler(httpCtxt), "logstream")
embeddedCLIHandler := srv.monitoredHandler(newEmbeddedCLIHandler(httpCtxt), "commands")
+ controllerAdminAuthorizer := controllerAdminAuthorizer{
+ controllerTag: systemState.ControllerTag(),
+ }
var debuglogAuth httpcontext.CompositeAuthorizer = []authentication.Authorizer{
tagKindAuthorizer{names.MachineTagKind, names.ControllerAgentTagKind},
- controllerAdminAuthorizer{
- controllerTag: systemState.ControllerTag(),
- },
+ controllerAdminAuthorizer,
modelPermissionAuthorizer{
perm: permission.ReadAccess,
},
Source: GitHub Commit
Detection Methods for CVE-2025-68152
Indicators of Compromise
- Unusual log access patterns from workload machines requesting logs for entities outside their assigned model
- API server logs showing cross-model log stream requests from machine agents
- Increased volume of requests to /log endpoints from individual workload machines
- Authentication events showing machine credentials accessing resources in unrelated models
Detection Strategies
- Monitor Juju API server access logs for requests to log endpoints originating from workload machines accessing non-local models
- Implement anomaly detection for log stream requests that cross model boundaries
- Audit authentication logs for patterns of machine agents requesting resources outside their designated model scope
- Deploy network monitoring to identify unusual traffic patterns between workload machines and the Juju controller API
Monitoring Recommendations
- Enable verbose logging on Juju controller API endpoints to capture all log access requests with source identification
- Configure alerting for any log stream access that spans multiple models from a single machine agent
- Regularly review and audit machine agent permissions and their actual resource access patterns
- Implement log correlation between workload machine activity and controller API access logs
How to Mitigate CVE-2025-68152
Immediate Actions Required
- Upgrade Juju immediately to version 2.9.56 or later for the 2.9.x branch
- Upgrade Juju immediately to version 3.6.19 or later for the 3.6.x branch
- Review logs for any historical unauthorized cross-model log access attempts
- Audit all workload machines for signs of compromise and rotate credentials if necessary
Patch Information
Canonical has released security patches addressing this vulnerability. The fixes are available in Juju versions 2.9.56 and 3.6.19. The patches introduce proper model permission authorization checks using the modelPermissionAuthorizer with permission.ReadAccess requirements for the debug log and log stream endpoints.
For detailed patch information, refer to the GitHub Security Advisory and the corresponding commits: Commit 22cdcf6b and Commit c91a1f4.
Workarounds
- Implement network segmentation to restrict direct API access from workload machines to the Juju controller where possible
- Deploy additional authentication layers or API gateways to control and monitor access to log endpoints
- Consider temporarily disabling or restricting access to the debug-log functionality until patches can be applied
- Monitor and alert on any cross-model API requests as an interim detection measure
# Verify current Juju version and plan upgrade
juju version
# Upgrade Juju controller to patched version
juju upgrade-controller --agent-version 3.6.19
# Verify upgrade completed successfully
juju controllers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
