Cyber Resilience

CVE-2026-4370

CriticalPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0038 29.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4370 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Canonical Juju. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-4370 is a critical vulnerability in Juju, an open-source orchestration tool for managing containerized applications, affecting versions 3.2.0 through 3.6.19 and 4.0 through 4.0.4. The flaw resides in the internal Dqlite database cluster used by the Juju controller, where proper TLS client and server authentication is not enforced. Specifically, the controller's database endpoint fails to validate client certificates during the cluster join process for new nodes, linked to CWEs-295 (Improper Certificate Validation) and CWE-306 (Missing Authentication for Critical Function). It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network-accessible, unauthenticated nature with high impact across confidentiality, integrity, and availability in a scoped attack.

An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this by impersonating a legitimate node to join the database cluster. Once joined, the attacker obtains full read and write access to the underlying database, enabling complete data compromise, including extraction, modification, or deletion of sensitive configuration, model data, and operational state managed by Juju.

Mitigation details and patches are outlined in the official advisory at https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p, which security practitioners should consult for upgrade paths beyond the affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not…

more

validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated network access to the Juju controller's exposed Dqlite database endpoint via bypassed TLS certificate validation during cluster join, directly enabling exploitation of this public-facing application for unauthorized full read/write database access and data compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53513Same product: Canonical Juju
CVE-2025-0928Same product: Canonical Juju
CVE-2026-5412Same product: Canonical Juju
CVE-2026-32693Same product: Canonical Juju
CVE-2026-32692Same product: Canonical Juju
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-46070Shared CWE-295
CVE-2025-68715Shared CWE-306

Affected Assets

canonical
juju
3.2.0 — 3.6.20 · 4.0 — 4.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of devices such as cluster nodes via client certificates, directly preventing unauthenticated nodes from joining the Dqlite database cluster.

prevent

Mandates proper management and validation of PKI certificates for TLS client authentication, addressing the improper certificate validation flaw during cluster joins.

prevent

Establishes controls for remote access including mutual authentication and cryptographic protection, mitigating network-reachable unauthorized access to the Dqlite port.

References