CVE-2025-68152: Juju: Read All Controller Logs From Compromised Workload

April 3, 2026 (updated April 27, 2026)

It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level.

There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authentication and either be a machine agent, controller agent, controller admin or have model read permission.

The problematic is the machine agent story. The rest of the other checks have a high enough degree of safety that an attacker can not move side ways in the controller when obtaining log files.

References

github.com/advisories/GHSA-j6f6-jp3p-53mw
github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3
github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw
nvd.nist.gov/vuln/detail/CVE-2025-68152

Code Behaviors & Features

Detect and mitigate CVE-2025-68152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →