Vulnerability in Canonical Juju

CVE-2026-5774

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

Vulnerability class: Race Condition

EPSS: 0.000 (2.1th percentile) — read the EPSS interpretation.

Affected products

Canonical Juju — versions 2.0.0, 3.0.0, 4.0.0

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence (vdb-entry, vendor-advisory)
github.com/juju/juju/pull/22206 (patch, issue-tracking)
github.com/juju/juju/pull/22205 (patch, issue-tracking)