CVE-2026-4370Improper Certificate Validation in Juju

CWE-295Improper Certificate ValidationCWE-306Missing Authentication for Critical FunctionCWE-287Improper AuthenticationCWE-296Improper Following of a Certificate's Chain of Trust12 documents5 sources
Severity
10.0CRITICALNVD
EPSS
0.1%
top 78.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical JujuGithub.com Juju Juju
Timeline
PublishedApr 1
Latest updateApr 2

Description

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once join

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

CVEListV5canonical/juju3.2.03.6.20+1
NVDcanonical/juju3.2.03.6.20+1
Gogithub.com/juju_juju0.0.0-20260401092550-1c1ac1922b57

🔴Vulnerability Details

3
GHSA
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster2026-04-02
OSV
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster2026-04-02
CVEList
Improper TLS Client/Server authentication and certificate verification on Database Cluster2026-04-01

🕵️Threat Intelligence

3
Wiz
CVE-2026-4370 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24744 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-1679 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-4370 — Improper Certificate Validation in Juju | cvebase