PT-2026-29482 · Canonical · Juju
Harry Pidcock
+3
·
Published
2026-04-01
·
Updated
2026-04-04
·
CVE-2026-4370
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Juju versions 3.2.0 through 3.6.19 and versions 4.0.0 through 4.0.4
Description
A flaw exists in the Juju software where the internal Dqlite database cluster does not properly validate TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An attacker with network access to the Juju controller's Dqlite port can join the database cluster and gain full read and write access to the database, potentially leading to complete data compromise.
Recommendations
Update Juju to a version later than 4.0.4. Update Juju to a version later than 3.6.19.
Fix
Improper Certificate Validation
Missing Authentication
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Juju