Canonical Juju
12 CVEs affecting Canonical Juju. Latest disclosed: 2026-04-10. Critical: 3, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-4370 | Critical | 10.0 | 2026-04-01 | A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to pe… |
CVE-2026-5412 | Critical | 9.9 | 2026-04-10 | In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to… |
CVE-2017-9232 | Critical | 9.8 | 2017-05-28 | Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalatio… |
CVE-2026-32693 | High | 8.8 | 2026-03-18 | In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret c… |
CVE-2025-0928 | High | 8.8 | 2025-07-08 | In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller… |
CVE-2025-53513 | High | 8.8 | 2025-07-08 | The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Upload… |
CVE-2026-32692 | High | 7.6 | 2026-03-18 | An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to… |
CVE-2026-32694 | Medium | 6.6 | 2026-03-18 | In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictabl… |
CVE-2025-53512 | Medium | 6.5 | 2025-07-08 | The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitiv… |
CVE-2026-32691 | Medium | 5.3 | 2026-03-18 | A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly ini… |
CVE-2026-5774 | | 2026-04-10 | Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause… | |
CVE-2026-1237 | | 2026-01-28 | Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database recor… |