Every CVE whose affected-product data names Canonical Juju, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2026-4370 — CVSS 10.0 (critical): A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database…
CVE-2026-5412 — CVSS 9.9 (critical): In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the…
CVE-2017-9232 — CVSS 9.8 (critical): Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing…
CVE-2026-32693 — CVSS 8.8 (high): In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to…
CVE-2024-6984 — CVSS 8.8 (high): An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access…
CVE-2025-0928 — CVSS 8.8 (high): In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model…
CVE-2025-53513 — CVSS 8.8 (high): The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to…
CVE-2024-7558 — CVSS 8.7 (high): JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an…
CVE-2024-8038 — CVSS 7.9 (high): Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available…
CVE-2026-32692 — CVSS 7.6 (high): An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an…
CVE-2026-32694 — CVSS 6.6 (medium): In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies…
CVE-2025-53512 — CVSS 6.5 (medium): The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that…
CVE-2025-68153 — CVSS 6.5 (medium): Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through…
CVE-2024-8037 — CVSS 6.5 (medium): Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with…
CVE-2026-5774 — CVSS 6.4 (medium): Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated…
CVE-2026-32691 — CVSS 5.3 (medium): A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim…
CVE-2025-68152 — CVSS 4.9 (medium): Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through…
CVE-2023-0092 — CVSS 4.9 (medium): An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from…