NIXPKGS-2026-1049

GitHub issue published on

Permalink CVE-2026-5412

9.9 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 weeks, 4 days ago by @LeSuisse Activity log

Created suggestion 2 weeks, 4 days ago
@LeSuisse ignored
2 packages
- jujutsu
- jujuutils
2 weeks, 4 days ago
@LeSuisse accepted 2 weeks, 4 days ago
@LeSuisse published on GitHub 2 weeks, 4 days ago

Juju CloudSpec API could leak senstive information

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

References

CloudSpec method leaking cloud credentials vdb-entryvendor-advisory
https://github.com/juju/juju/pull/22206 issue-trackingpatch
https://github.com/juju/juju/pull/22205 issue-trackingpatch

Affected products

juju

<2.9.57
<3.6.21

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable 3.6.12
- nixpkgs-unstable 3.6.12
- nixos-unstable-small 3.6.12
nixos-25.11 3.6.11
- nixos-25.11-small 3.6.11
- nixpkgs-25.11-darwin 3.6.11

Ignored packages (2)

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable 0.40.0
- nixpkgs-unstable 0.40.0
- nixos-unstable-small 0.40.0
nixos-25.11 0.35.0
- nixos-25.11-small 0.35.0
- nixpkgs-25.11-darwin 0.35.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-25.11 0.2
- nixos-25.11-small 0.2
- nixpkgs-25.11-darwin 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>

Nixpkgs security tracker