Auth bypass in Canonical Juju
CVE-2026-4370
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju contro…
Vulnerability class: Improper Certificate Validation
EPSS: 0.000 (11.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Canonical Juju — versions 3.2.0, 4.0
Weakness classification (CWE)
References
Frequently asked questions
- What is CVE-2026-4370?
- CVE-2026-4370 is a critical-severity vulnerability in Canonical Juju, classified under Improper Certificate Validation. CVSS score: 10.0/10. Published 2026-04-01.
- How severe is CVE-2026-4370?
- Critical severity. CVSS v3 base score is 10.0 out of 10.