CVE-2026-4370 Overview
A critical authentication bypass vulnerability was identified in Canonical Juju's internal Dqlite database cluster. The flaw exists in versions 3.2.0 through 3.6.19 and versions 4.0 through 4.0.4, where the Juju controller's database endpoint fails to properly validate TLS client certificates when new nodes attempt to join the cluster. This improper certificate validation (CWE-295) allows an unauthenticated attacker with network access to the Juju controller's Dqlite port to join the database cluster without proper authentication, gaining full read and write access to the underlying database.
Critical Impact
An unauthenticated attacker can join the Dqlite database cluster and gain complete read/write access, enabling total data compromise of the Juju controller's database.
Affected Products
- Canonical Juju versions 3.2.0 through 3.6.19
- Canonical Juju versions 4.0 through 4.0.4
Discovery Timeline
- 2026-04-01 - CVE-2026-4370 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-4370
Vulnerability Analysis
This vulnerability represents an improper certificate validation flaw (CWE-295) in Canonical Juju's Dqlite database clustering implementation. The Juju controller serves as the central management component for Juju deployments, and it utilizes Dqlite—a distributed SQLite database—for storing configuration, state, and operational data.
The core issue lies in the TLS handshake process when new nodes attempt to join the Dqlite cluster. While TLS is implemented for transport encryption, the server-side validation of client certificates is not enforced. This means any client presenting a certificate—even a self-signed one—can successfully establish a connection and be accepted as a legitimate cluster member.
The vulnerability can be exploited over the network without any prior authentication or user interaction, and successful exploitation allows attackers to cross security boundaries, potentially affecting multiple dependent systems and workloads managed by Juju.
Root Cause
The root cause is improper TLS client certificate validation in the Juju controller's Dqlite database endpoint. When the database cluster receives a join request from a new node, it fails to verify that the connecting client possesses a certificate signed by a trusted Certificate Authority (CA) or matches an expected certificate chain. This missing validation step allows unauthorized nodes to join the cluster without proving their identity.
Attack Vector
The attack requires network reachability to the Juju controller's Dqlite port. An attacker can exploit this vulnerability by:
- Identifying a Juju controller with an exposed Dqlite port
- Generating a self-signed TLS certificate or using any valid certificate
- Initiating a cluster join request to the Dqlite endpoint
- Successfully joining the cluster due to missing certificate validation
- Gaining full read and write access to the database containing sensitive Juju configuration and state data
The vulnerability does not require any privileges, credentials, or user interaction to exploit. Once an attacker joins the cluster, they can read sensitive data including cloud credentials, machine configurations, and application settings, or modify data to compromise the integrity of the entire Juju deployment.
Detection Methods for CVE-2026-4370
Indicators of Compromise
- Unexpected nodes appearing in the Dqlite cluster membership
- Unrecognized TLS certificates in database cluster connection logs
- Anomalous database read/write activity from unknown IP addresses
- Changes to Juju controller configuration or credentials without authorized administrator action
Detection Strategies
- Monitor Dqlite cluster membership for unauthorized or unexpected node additions
- Implement network monitoring to detect connections to the Dqlite port from untrusted sources
- Review TLS handshake logs for connections using certificates not issued by the expected CA
- Enable audit logging for all database operations and alert on anomalous access patterns
Monitoring Recommendations
- Configure network intrusion detection systems (IDS) to monitor traffic to the Juju controller's Dqlite port
- Implement alerting for any new cluster join events
- Regularly audit the list of nodes in the Dqlite cluster against expected infrastructure
- Deploy SentinelOne agents on Juju controller hosts to detect suspicious process behavior and network connections
How to Mitigate CVE-2026-4370
Immediate Actions Required
- Upgrade Canonical Juju to version 3.6.20 or later for the 3.x branch, or version 4.0.5 or later for the 4.x branch
- Restrict network access to the Juju controller's Dqlite port using firewall rules to allow only trusted hosts
- Audit current Dqlite cluster membership and remove any unauthorized nodes
- Review database contents for signs of tampering or unauthorized access
Patch Information
Canonical has released security updates to address this vulnerability. Affected users should upgrade to patched versions as outlined in the GitHub Security Advisory (GHSA-gvrj-cjch-728p). The fix implements proper TLS client certificate validation, ensuring that only nodes with certificates signed by the expected CA can join the cluster.
Workarounds
- Implement strict network segmentation to ensure the Dqlite port is not accessible from untrusted networks
- Use firewall rules to allowlist only IP addresses of legitimate Juju controller cluster members
- Deploy a reverse proxy or VPN to add an additional authentication layer before the Dqlite endpoint
- Monitor cluster membership changes and immediately investigate any unexpected join attempts
# Example: Restrict Dqlite port access using iptables
# Replace TRUSTED_IP with the IP addresses of legitimate cluster nodes
iptables -A INPUT -p tcp --dport 17070 -s TRUSTED_IP_1 -j ACCEPT
iptables -A INPUT -p tcp --dport 17070 -s TRUSTED_IP_2 -j ACCEPT
iptables -A INPUT -p tcp --dport 17070 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
