How to fix CVE-2026-4370?

Within 24 hours: Identify all Juju controller deployments running versions 3.2.0-3.6.19 or 4.0-4.0.4 and document network exposure of Dqlite database ports. Implement immediate network segmentation to restrict access to Dqlite endpoints (default port 29999) to trusted administrative networks only. Within 7 days: Contact Canonical support for patched version availability and upgrade timeline; evaluate migration to unaffected Juju versions if patches remain unavailable. Within 30 days: Deploy patched Juju versions to all affected controllers and audit all stored credentials and configurations for signs of unauthorized access or modification.

CVE-2026-4370

EUVD-2026-17847 CRITICAL

2026-04-01 canonical

GHSA-gvrj-cjch-728p

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 09:00 euvd

EUVD-2026-17847

Analysis Generated

Apr 01, 2026 - 09:00 vuln.today

CVE Published

Apr 01, 2026 - 08:09 nvd

CRITICAL 10.0

Description

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

Analysis

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows complete data exfiltration and manipulation through missing TLS certificate validation on Dqlite database endpoints. The controller's database cluster accepts unauthorized node joins from any network-accessible attacker, granting full read/write access to all stored credentials, configurations, and orchestration data. …

Remediation

Within 24 hours: Identify all Juju controller deployments running versions 3.2.0-3.6.19 or 4.0-4.0.4 and document network exposure of Dqlite database ports. Implement immediate network segmentation to restrict access to Dqlite endpoints (default port 29999) to trusted administrative networks only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +50

POC: 0

Vendor Status

Debian

juju

Release	Status	Fixed Version	Urgency
(unstable)	fixed	(unfixed)	-

CVE-2026-4370 vulnerability details – vuln.today

Back

CVE-2026-4370

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Debian

Share

CVE-2026-4370

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code