Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-5412
9.9 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 days, 2 hours ago
Juju CloudSpec API could leak senstive information

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

References

Affected products

juju
  • <2.9.57
  • <3.6.21

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2
  • nixos-25.11 0.2
    • nixos-25.11-small 0.2
    • nixpkgs-25.11-darwin 0.2