CVE-2026-4370 - Vulnerability Details - OpenCVE

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/mdr-for-endpoint
https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p

History

Wed, 01 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
Title		Improper TLS Client/Server authentication and certificate verification on Database Cluster
Weaknesses		CWE-295 CWE-306
References		https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-01T08:09:17.570Z

Updated: 2026-04-01T13:01:08.226Z

Reserved: 2026-03-18T08:46:09.947Z

Link: CVE-2026-4370

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-01T09:16:17.717

Modified: 2026-04-01T09:16:17.717

Link: CVE-2026-4370

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4370", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-03-18T08:46:09.947Z", "datePublished": "2026-04-01T08:09:17.570Z", "dateUpdated": "2026-04-01T13:01:08.226Z"}, "containers": {"cna": {"title": "Improper TLS Client/Server authentication and certificate verification on Database Cluster", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-295", "description": "CWE-295 Improper certificate validation", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "affected": [{"vendor": "Canonical", "product": "Juju", "platforms": ["Linux"], "collectionURL": "https://github.com/juju/", "packageName": "juju", "repo": "https://github.com/juju/juju", "versions": [{"status": "affected", "version": "3.2.0", "lessThan": "3.6.20", "versionType": "semver"}, {"status": "affected", "version": "4.0", "lessThan": "4.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise."}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Harry Pidcock", "type": "finder"}, {"lang": "en", "value": "Joseph Phillips", "type": "remediation developer"}, {"lang": "en", "value": "Ian Booth", "type": "coordinator"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-01T08:09:17.570Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:00:31.628747Z", "id": "CVE-2026-4370", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:01:08.226Z"}}]}}