Platform
go
Component
github.com/juju/juju
Fixed in
3.6.20
4.0.4
0.0.1
CVE-2026-4370 is a critical vulnerability affecting Juju controllers since version 3.2.0. It allows an attacker with network route access to the Juju controller's Dqlite cluster endpoint to join the cluster, potentially gaining complete control over the system. The vulnerability stems from insufficient certificate validation, enabling privilege escalation and modification of critical data. Upgrade to version 4.0.4 to resolve this issue.
This vulnerability poses a significant threat to Juju deployments. An attacker exploiting CVE-2026-4370 can join the Dqlite cluster, effectively gaining read and write access to all data stored within it. This includes sensitive information such as user credentials, deployment configurations, and network settings. The attacker could escalate privileges, open firewall ports, and potentially compromise the entire Juju environment. The lack of client and server certificate validation opens the door to man-in-the-middle attacks, further amplifying the potential impact. The ability to modify the Dqlite database allows for arbitrary code execution and complete system takeover.
CVE-2026-4370 was publicly disclosed on April 2, 2026. A proof-of-concept (PoC) tool has been referenced in the vulnerability description, indicating the ease of exploitation. The vulnerability's critical severity (CVSS 10) and the availability of a PoC suggest a high probability of exploitation. It has not yet been added to the CISA KEV catalog, but its severity warrants close monitoring. Active campaigns are currently unconfirmed, but the ease of exploitation makes it a likely target.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4370 is to upgrade Juju to version 4.0.4 or later. This version includes the necessary fixes to properly validate client certificates and prevent unauthorized cluster access. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the Juju controller's Dqlite endpoint. Review firewall rules to ensure only authorized traffic can reach the Dqlite port. Monitor network traffic for suspicious connections to the Dqlite endpoint. After upgrading, verify the fix by attempting to connect to the Dqlite cluster from an unauthorized client and confirming that the connection is rejected.
Update Juju to version 3.6.20 or higher, or to version 4.0.4 or higher to mitigate the vulnerability. The update corrects the lack of TLS certificate validation, preventing unauthenticated attackers from joining the Dqlite database cluster.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4370 is a critical vulnerability in Juju affecting versions up to 0.0.0-20260401092550-1c1ac1922b57, allowing attackers to join and control the Dqlite cluster.
If you are running Juju versions prior to 4.0.4, you are potentially affected by this vulnerability. Check your Juju version and upgrade immediately.
Upgrade Juju to version 4.0.4 or later to address this vulnerability. Implement network segmentation as an interim measure.
While active exploitation is not yet confirmed, the vulnerability's severity and the availability of a PoC suggest a high likelihood of exploitation.
Refer to the Juju GitHub repository and release notes for the official advisory and detailed information regarding this vulnerability: https://github.com/juju/juju
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.