CVE-2026-4370
Published: 01 April 2026
Summary
CVE-2026-4370 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Canonical Juju. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of devices such as cluster nodes via client certificates, directly preventing unauthenticated nodes from joining the Dqlite database cluster.
Mandates proper management and validation of PKI certificates for TLS client authentication, addressing the improper certificate validation flaw during cluster joins.
Establishes controls for remote access including mutual authentication and cryptographic protection, mitigating network-reachable unauthorized access to the Dqlite port.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated network access to the Juju controller's exposed Dqlite database endpoint via bypassed TLS certificate validation during cluster join, directly enabling exploitation of this public-facing application for unauthorized full read/write database access and data compromise.
NVD Description
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not…
more
validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
Deeper analysisAI
CVE-2026-4370 is a critical vulnerability in Juju, an open-source orchestration tool for managing containerized applications, affecting versions 3.2.0 through 3.6.19 and 4.0 through 4.0.4. The flaw resides in the internal Dqlite database cluster used by the Juju controller, where proper TLS client and server authentication is not enforced. Specifically, the controller's database endpoint fails to validate client certificates during the cluster join process for new nodes, linked to CWEs-295 (Improper Certificate Validation) and CWE-306 (Missing Authentication for Critical Function). It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network-accessible, unauthenticated nature with high impact across confidentiality, integrity, and availability in a scoped attack.
An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this by impersonating a legitimate node to join the database cluster. Once joined, the attacker obtains full read and write access to the underlying database, enabling complete data compromise, including extraction, modification, or deletion of sensitive configuration, model data, and operational state managed by Juju.
Mitigation details and patches are outlined in the official advisory at https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p, which security practitioners should consult for upgrade paths beyond the affected versions.
Details
- CWE(s)