CVE-2026-5412 Overview
CVE-2026-5412 is an authorization bypass vulnerability affecting Canonical Juju, an open-source application modeling tool used for deploying, configuring, scaling, and operating software on cloud infrastructure. The vulnerability exists in the Controller facade, where an authorization issue allows authenticated low-privileged users to call the CloudSpec API method and extract sensitive cloud credentials used to bootstrap the controller.
This vulnerability enables privilege escalation through credential theft, allowing attackers with minimal authenticated access to obtain cloud provider credentials that could be used to compromise the entire cloud infrastructure managed by the affected Juju controller.
Critical Impact
An authenticated low-privileged user can extract cloud bootstrap credentials through the CloudSpec API, potentially compromising entire cloud infrastructure deployments managed by Juju.
Affected Products
- Juju versions prior to 2.9.57
- Juju versions prior to 3.6.21
- All Juju deployments using the vulnerable Controller facade API
Discovery Timeline
- 2026-04-10 - CVE-2026-5412 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5412
Vulnerability Analysis
This vulnerability stems from improper authorization controls (CWE-285: Improper Authorization) in the Juju Controller facade. The Controller facade is a critical component that manages interactions between Juju clients and the controller, including access to cloud-specific configurations and credentials.
The flaw allows any authenticated user, regardless of their privilege level within the Juju model, to invoke the CloudSpec API method. This method returns the cloud specification including credentials that were used during the controller bootstrap process. Under normal circumstances, access to these credentials should be restricted to administrative users only.
The impact is severe because cloud bootstrap credentials typically have broad permissions across the cloud provider (AWS, GCP, Azure, OpenStack, etc.), potentially allowing an attacker to:
- Access and modify cloud resources outside of Juju's management
- Create new infrastructure for malicious purposes
- Exfiltrate data from cloud storage
- Pivot to other systems within the cloud environment
Root Cause
The root cause is an improper authorization check in the Controller facade's CloudSpec API method. The code fails to verify that the calling user has appropriate administrative privileges before returning sensitive cloud credential information. This represents a broken access control vulnerability where the authorization layer does not properly enforce the principle of least privilege.
The fix implemented in versions 2.9.57 and 3.6.21 adds proper authorization checks to ensure only users with appropriate administrative permissions can access the CloudSpec endpoint.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the Juju controller. An attacker would need valid credentials to authenticate to the Juju API, but these could be any legitimate user account regardless of assigned permissions.
The exploitation flow involves:
- Authenticating to the Juju controller with any valid user credentials
- Calling the CloudSpec API method through the Controller facade
- Receiving cloud provider credentials in the API response
- Using the extracted credentials to access cloud resources directly
Since no code examples are available from verified sources, refer to the GitHub Security Advisory GHSA-w5fq-8965-c969 for additional technical details about the vulnerability mechanism.
Detection Methods for CVE-2026-5412
Indicators of Compromise
- Unexpected API calls to the CloudSpec endpoint from non-administrative users
- Unusual authentication patterns to cloud providers using bootstrap credentials
- Audit logs showing CloudSpec API method invocations by low-privileged accounts
- Cloud provider access logs showing activity from Juju bootstrap credentials outside normal controller operations
Detection Strategies
- Monitor Juju controller audit logs for CloudSpec API calls and correlate with user privilege levels
- Implement cloud provider credential usage monitoring to detect anomalous access patterns
- Deploy API monitoring to alert on Controller facade method calls from unauthorized users
- Enable verbose logging on Juju controllers to capture detailed API request information
Monitoring Recommendations
- Configure SIEM rules to alert on CloudSpec API method invocations by non-admin users
- Implement cloud provider IAM monitoring to track bootstrap credential usage
- Review Juju user access lists and verify principle of least privilege is applied
- Set up automated version scanning to identify vulnerable Juju installations
How to Mitigate CVE-2026-5412
Immediate Actions Required
- Upgrade Juju to version 2.9.57 or later for the 2.9.x branch
- Upgrade Juju to version 3.6.21 or later for the 3.6.x branch
- Audit all Juju user accounts and remove unnecessary access
- Rotate cloud bootstrap credentials after patching to invalidate any potentially compromised credentials
Patch Information
Canonical has released patched versions addressing this authorization bypass vulnerability:
- Juju 2.9.x branch: Fixed in version 2.9.57 - See Pull Request #22205
- Juju 3.6.x branch: Fixed in version 3.6.21 - See Pull Request #22206
For complete details, review the GitHub Security Advisory GHSA-w5fq-8965-c969.
Workarounds
- Restrict network access to the Juju controller API to trusted networks only
- Implement additional authentication layers (VPN, bastion hosts) before Juju controller access
- Review and minimize user accounts with authenticated access to Juju controllers
- Consider implementing cloud provider IAM controls to limit bootstrap credential permissions
# Check current Juju version
juju version
# Upgrade Juju controller to patched version
sudo snap refresh juju --channel=2.9/stable
# or for 3.x branch
sudo snap refresh juju --channel=3.6/stable
# Verify upgrade was successful
juju version
# List all users with controller access for audit
juju users --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
