Skip to main content

Canonical CVE-2026-5774

| EUVDEUVD-2026-21366 MEDIUM
Race Condition (CWE-362)
2026-04-10 canonical GHSA-7m55-2hr4-pw78
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 12:45 euvd
EUVD-2026-21366
Analysis Generated
Apr 10, 2026 - 12:45 vuln.today
Patch released
Apr 10, 2026 - 12:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 12:10 nvd
MEDIUM 6.0

DescriptionCVE.org

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

AnalysisAI

Improper synchronization of the userTokens map in Canonical Juju API server (versions 4.0.5, 3.6.20, and 2.9.56) enables authenticated users to trigger denial of service or reuse single-use discharge tokens due to a race condition. The vulnerability requires low privilege authentication and partial attacker timing control but allows complete availability impact to the server. EPSS score of 6.1 reflects moderate real-world exploitation risk, though no public exploit code or active exploitation has been confirmed.

Technical ContextAI

The vulnerability stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), affecting the authentication token management subsystem in Juju's API server. The userTokens map lacks proper synchronization mechanisms, creating a time-of-check-time-of-use (TOCTOU) race condition window. When multiple concurrent requests access the map during token validation or discharge token processing, an authenticated attacker can exploit the race to either cause the server to become unavailable or replay a single-use discharge token that should have been invalidated after first use. This is a classic synchronization flaw in concurrent systems where shared mutable state is accessed without adequate locking or atomic operations.

RemediationAI

Upgrade to patched versions immediately: Juju 4.0.6 or later for 4.0.x deployments, Juju 3.6.21 or later for 3.6.x deployments, and Juju 2.9.57 or later for 2.9.x deployments. Fixes are available in upstream pull requests #22206 and #22205 at https://github.com/juju/juju. Consult the official security advisory at https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78 for detailed upgrade instructions and verification steps. As a temporary mitigation (not a substitute for patching), restrict network access to the Juju API server to trusted administrative networks only, limiting exposure to authenticated attackers.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-5774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy