CVE-2026-4370: Critical Authentication Bypass in Canonical Juju Dqlite Cluster
Vulnerability ID: CVE-2026-4370
CVSS Score: 10.0
Published: 2026-04-02
Canonical Juju versions 3.2.0 through 3.6.19 and 4.0 through 4.0.4 contain a critical vulnerability in the internal Dqlite database cluster. The system fails to enforce TLS client certificate validation during the node join handshake on port 17666. An unauthenticated remote attacker can exploit this flaw to join the cluster, gaining full read and write access to the underlying state database.
TL;DR
Unauthenticated remote attackers can bypass TLS validation to join the Juju Dqlite database cluster, granting full read/write access to the controller's state and resulting in complete environment compromise.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-295, CWE-306
- Attack Vector: Network
- Privileges Required: None
- CVSS v3.1 Score: 10.0
- EPSS Score: 0.00035 (0.03%)
- Exploit Status: Publicly Available / Proof-of-Concept
Affected Systems
- Canonical Juju Controller
- Juju Dqlite Database Cluster
-
Juju: 3.2.0 - 3.6.19 (Fixed in:
3.6.20) -
Juju: 4.0 - 4.0.4 (Fixed in:
4.0.5)
Code Analysis
Commit: 001318f
refactor: tighten update unit charm using unit uuid
Mitigation Strategies
- Apply vendor-provided patches to the Juju controller
- Implement network microsegmentation and restrict access to port 17666
- Monitor controller logs for unauthorized cluster join events
Remediation Steps:
- Identify all running Juju controller versions in the environment.
- Upgrade deployments running versions 3.2.0 through 3.6.19 to version 3.6.20.
- Upgrade deployments running versions 4.0 through 4.0.4 to version 4.0.5.
- Verify firewall rules strictly limit access to port 17666 to known cluster nodes.
References
Read the full report for CVE-2026-4370 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)