Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization

Description

Impact

Any user with a Juju account on a controller can read debug log messages from the /log endpoint.
No specific permissions are required - it's just sufficient for the user to exist in the controller user database.
The log messages may contain sensitive information.

Details

The /log endpoint is accessible at the following endpoints:
- wss://<controller-ip>/log
- wss://<controller-ip>/model/<model-uuid>/log

In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them.

To reproduce:

juju bootstrap
juju add-user testuser
juju change-user-password testuser

Run the wscat command below to
connect to wss://<controller-ip>:17070/api. Update the JSON payload to include the username and password that were created above.

wscat --no-check -c wss://contorller-ip:17070/model/modelUUID/api
{ "type": "Admin", "request": "Login", "version": 3, "params": { "client-
version": "3.6.1.0", "auth-tag": "user-testuser", "credentials": "
password" } }

Observe that the connection fails due to a lack of permissions.

Run the command below to connect to the log endpoint. Note that the credentials are passed in the --auth flag.

wscat --auth user-testuser:password -H "X-Juju-ClientVersion: 3.6.4" --no-check -c wss://<controller-ip>:17070/log

Observe that the logs are returned in the server’s response.

Code

The /log handlers are registered here
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L867
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L980

And the only auth required is that the incoming request be for an authenticated user

https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L713

but no specific permission checks are done.

Workarounds

There are no workarounds.

References

F-01

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-07-09 15:30:58 UTC
Updated
2025-07-09 15:31:01 UTC
GitHub reviewed
2025-07-09 15:30:58 UTC
NVD published
2025-07-08

EPSS Score

Score Percentile
0.08% 23.47%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Credits

  • wallyworld (coordinator)
  • hpidcock (coordinator)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/juju/juju < 0.0.0-20250619024904-402ff008dcc2 0.0.0-20250619024904-402ff008dcc2

References

cvelogic Threat Intelligence