Juju Application Orchestration Engine Log File Exposure Vulnerability
CVE-2025-68152

6.9MEDIUM

Key Information:

Vendor

Juju

Status
Juju
Vendor
CVE Published:
3 April 2026

What is CVE-2025-68152?

A flaw in Juju, an open source application orchestration engine, allows compromised machines to access log files across any model under the Juju controller. This issue potentially exposes sensitive information, as unprivileged workloads can read logs belonging to any entity. The vulnerability affects versions 2.9 up to 2.9.55 and 3.6 up to 3.6.18, but has been addressed in subsequent updates (2.9.56 and 3.6.19). Users are encouraged to update their systems to mitigate this risk.

Affected Version(s)

juju >= 2.9, < 2.9.56 < 2.9, 2.9.56

juju >= 3.6, < 3.6.19 < 3.6, 3.6.19

References

https://github.com/juju/juju/security/advisories/GHSA-j6f...
x_refsource_CONFIRM
https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1...
x_refsource_MISC
https://github.com/juju/juju/commit/c91a1f4046956874ba77c...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.