Platform
go
Component
github.com/juju/juju
Fixed in
2.9.57
3.6.21
4.0.6
0.0.0-20260408003526-d395054dc2c3
CVE-2026-5774 describes a concurrency vulnerability discovered in Juju, a tool for deploying and managing applications on cloud platforms. This flaw stems from the lack of synchronization when accessing discharge tokens within the Juju API server, potentially leading to runtime panics and the possibility of a discharge token being consumed multiple times. The vulnerability affects Juju versions up to 0.0.0-20260408003526-d395054dc2c3, and a fix is available in version 0.0.0-20260408003526-d395054dc2c3.
The core impact of CVE-2026-5774 lies in the potential for denial of service and unauthorized access. Concurrent access to the discharge token map without proper synchronization can trigger Go runtime panics, effectively crashing the Juju API server and disrupting application deployments and management. More critically, the vulnerability allows a discharge token to be consumed multiple times before it is fully deleted from the map. This could enable an attacker to impersonate a legitimate user and gain unauthorized access to managed applications, potentially leading to data breaches or system compromise. The blast radius extends to any environment relying on Juju for application orchestration, particularly those handling sensitive data or critical infrastructure.
CVE-2026-5774 was publicly disclosed on 2026-04-10. As of this date, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the potential for denial of service and unauthorized access suggests a medium to high probability of exploitation if left unaddressed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5774 is to immediately upgrade Juju to version 0.0.0-20260408003526-d395054dc2c3 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the Juju API server to trusted users only. While a WAF or proxy cannot directly address this concurrency issue, implementing rate limiting on authentication requests can help reduce the frequency of potential attacks. There are no specific Sigma or YARA rules applicable to this vulnerability as it's a concurrency issue rather than a specific exploit pattern.
Update the Juju API server to version 2.9.57 or higher, 3.6.21 or higher, or 4.0.6 or higher to mitigate the vulnerability. The update corrects the incorrect synchronization of the user tokens map, thus preventing potential denial-of-service attacks or the reuse of single-use discharge tokens.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5774 is a concurrency flaw in Juju where the absence of synchronization when accessing discharge tokens can lead to runtime panics and potential token reuse, impacting application deployments.
You are affected if you are using Juju versions prior to 0.0.0-20260408003526-d395054dc2c3. Assess your Juju deployment to determine if an upgrade is necessary.
Upgrade Juju to version 0.0.0-20260408003526-d395054dc2c3 or later to address the concurrency vulnerability. If an upgrade is not immediately possible, restrict access to the Juju API server.
As of 2026-04-10, there are no confirmed reports of active exploitation of CVE-2026-5774. However, the potential for exploitation exists.
Refer to the official Juju project documentation and security advisories for the most up-to-date information regarding CVE-2026-5774 and mitigation steps.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.