DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5774: CVE-2026-5774: Race Condition and Denial of Service in Canonical Juju API Server

#security #cve #cybersecurity

CVE-2026-5774: Race Condition and Denial of Service in Canonical Juju API Server

Vulnerability ID: CVE-2026-5774
CVSS Score: 6.1
Published: 2026-04-10

Canonical Juju is affected by a medium-severity race condition vulnerability (CWE-362) within its API server. The vulnerability allows an authenticated attacker to trigger concurrent memory access violations in the Go runtime, resulting in an unrecoverable fatal panic and Denial of Service (DoS), or to bypass single-use token constraints via an authentication replay attack.

TL;DR

A race condition in Juju's API server allows authenticated users to crash the server or replay authentication tokens due to thread-unsafe map operations.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-362
  • Attack Vector: Network
  • CVSS v4.0 Score: 6.1 (Medium)
  • Impact: Denial of Service (DoS) and Authentication Replay
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Canonical Juju API Server
  • Juju: 2.0.0 to < 2.9.57 (Fixed in: 2.9.57)
  • Juju: 3.0.0 to < 3.6.21 (Fixed in: 3.6.21)
  • Juju: 4.0.0 to < 4.0.6 (Fixed in: 4.0.6)

Code Analysis

Commit: 8ff4880

Initial fix commit for race condition

Commit: 2bc884d

Final merge of the mutex gate fix

Mitigation Strategies

  • Upgrade Canonical Juju to fixed versions (4.0.6, 3.6.21, or 2.9.57).
  • Implement network-level rate limiting on /local-login/discharge and /local-login/form endpoints to hinder race condition exploitation.
  • Monitor application logs for Go runtime fatal panics indicating concurrent map write failures.

Remediation Steps:

  1. Identify the current deployment version of the Canonical Juju API server.
  2. Download the corresponding patch version according to the branch (4.0.x -> 4.0.6, 3.6.x -> 3.6.21, 2.9.x -> 2.9.57).
  3. Apply the upgrade sequence to the Juju controller node(s).
  4. Verify the API server restarts successfully and monitor stability.

References

Read the full report for CVE-2026-5774 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)