What is CVE-2026-5412?

CVE-2026-5412 is a critical-severity vulnerability in Canonical Juju, classified under Improper Authorization. CVSS score: 9.9/10. Published 2026-04-10.

How severe is CVE-2026-5412?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Auth bypass in Canonical Juju

CVE-2026-5412

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a l…

EPSS: 0.000 (1.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Canonical Juju — versions 2.9.0, 3.6.0

Weakness classification (CWE)

CWE-285 — Improper Authorization

References

CloudSpec method leaking cloud credentials (vendor-advisory, Exploit, Third Party Advisory, vdb-entry)
security@ubuntu.com (issue-tracking, Patch, patch, Issue Tracking)
security@ubuntu.com (issue-tracking, Patch, patch, Issue Tracking)

Frequently asked questions

What is CVE-2026-5412?: CVE-2026-5412 is a critical-severity vulnerability in Canonical Juju, classified under Improper Authorization. CVSS score: 9.9/10. Published 2026-04-10.
How severe is CVE-2026-5412?: Critical severity. CVSS v3 base score is 9.9 out of 10.