Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
  • Experiencing a breach?
  • Blog
  • Careers

  • Platform & Products

    • Singularity™ Platform

      Unified Enterprise Security. Machine-Speed Protection, Intelligence, and Response.

    • XDR

      Native and Open Protection, Detection, and Response.

    • Integrations and Partners

      One-Click Integrations to Unlock the Power of SentinelOne.

    Product Tours
    Pricing & Packages
    Get a Demo

  • Solutions & Use Cases

    SentinelOne for Industries

    Security Tuned for Your Industry.

    See All Industries
    • Healthcare

      Protect Patient Data. Keep Clinical Systems Online.

    • Financial Services

      Stop Fraud and Ransomware. Stay Audit-Ready.

    • Federal Government

      FedRAMP and IL5-Ready Defense for Federal Missions.

    • Manufacturing

      Defend OT, IT, IIOT, and Supply Chains at Scale.

    • Energy

      Secure OT Systems and Critical Infrastructure.

    • Transportation and Logistics

      Defend Operations Across Fleet, Port, and Rail.

    • Higher Education

      Protect Open Networks Without Slowing Research.

    • K-12 Education

      Stop Ransomware. Protect Students, Staff, and Data.

    • Retail and Hospitality

      Defend Your Brand, Customer Data, and Bottom Line.

    • SMB & Startups

      Enterprise-Grade Defense for Fast Teams.

    See all solutions

  • Services

    Managed Services

    Wayfinder Threat Detection and Response.

    Learn More
    • Threat Hunting

      World-Class Expertise and Threat Intelligence.

    • Managed Detection and Response

      24/7 Expert MDR Across Your Entire Environment.

    • Incident Readiness and Response

      DFIR, Breach Readiness, and Compromise Assessments.

    Experiencing a breach?

    Our experts are here to help 24/7.

    1-855-868-3733
    Get Help Now

  • Partners

    Become a Partner

    • Become a SentinelOne Partner

      Join the Global SentinelOne Ecosystem

    • Explore MSSP Solutions

      Services Succeed Faster with SentinelOne

    • Form a Technology Alliance

      Integrated, Enterprise-Scale Solutions

    Find a Partner

    • Enlist a Response or Advisory Team

      Enlist Pro Response and Advisory Teams

    • SentinelOne for AWS

      Hosted Across AWS Regions Worldwide

    • SentinelOne for Google

      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale

    • Partner Locator

      Your Go-to Source for Our Top Partners in Your Region

    • Singularity Marketplace

      One-Click Integrations for Unified Prevention, Detection, and Response

      Explore integrations
    Partner Portal Login

  • Why SentinelOne

    • Why Choose SentinelOne

      AI-Powered Cybersecurity Built to Secure What’s Next.

    • Our Customers

      Trusted by the World’s Leading Companies.

    • Industry Awards & Recognition

      Tested and Proven by the Experts.

  • Resources & Support

    Resources

    • Resource Center
    • Webinars
    • Cybersecurity Blog
    • Events
    • Newsroom

    Company

    • About SentinelOne
    • Careers
    • S Ventures
    • S Foundation
    • Dataset
    • FAQ
    • Investors Relations

    Customer Success & Support

    • Live and On-Demand Training
    • Guided Onboarding & Deployment
    • Technical Account Management
    • Support Services
    • Customer Portal
    • Get Support Now

    Explore

    • Vulnerability Database
    • SentinelLABS Threat Research
    • Ransomeware Anthology
    • Cybersecurity 101
    EventJoin us at OneCon (Oct. 20–22, 2026)
    CompetitionThreat Hunting World Championship 2026
    ReportThe SentinelOne Annual Threat Report
  • Pricing
Get StartedContact us

Explore SentinelOne

  • Pricing
Events
Get StartedContact us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4370

CVE-2026-4370: Canonical Juju Auth Bypass Vulnerability

CVE-2026-4370 is an authentication bypass flaw in Canonical Juju that allows attackers to join the Dqlite database cluster without validation. This post covers the technical details, affected versions, and mitigation steps.

Updated: May 14, 2026

CVE-2026-4370 Overview

CVE-2026-4370 is a certificate validation vulnerability [CWE-295] in Canonical Juju, affecting the internal Dqlite database cluster. The flaw exists in Juju versions 3.2.0 through 3.6.19 and 4.0 through 4.0.4. The Juju controller's Dqlite endpoint fails to validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network access to the Dqlite port can join the database cluster directly. Once joined, the attacker obtains full read and write access to the underlying database, resulting in complete data compromise.

Critical Impact

Network-reachable attackers can join the Juju controller's Dqlite cluster without authentication and gain full read/write access to all controller data.

Affected Products

  • Canonical Juju versions 3.2.0 through 3.6.19
  • Canonical Juju versions 4.0 through 4.0.4
  • Juju controllers exposing the internal Dqlite database port

Discovery Timeline

  • 2026-04-01 - CVE-2026-4370 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-4370

Vulnerability Analysis

Juju is Canonical's open-source application orchestration engine for cloud and Kubernetes workloads. The Juju controller stores its operational state in Dqlite, a distributed SQLite variant that uses Raft consensus for replication across controller nodes. Dqlite nodes communicate over TLS and rely on mutual authentication to restrict cluster membership.

In the affected versions, the controller's Dqlite endpoint accepts incoming cluster join requests without verifying the presenting client's certificate against the trusted certificate authority. The server-side identity check is also weakened, allowing arbitrary peers to negotiate sessions. This breaks the trust boundary that should isolate the database cluster from any unauthenticated network entity.

The consequence is total compromise of controller state. Juju's database contains model configuration, application secrets, machine credentials, and cloud provider credentials used to manage downstream workloads. An attacker reading or modifying this data can pivot to managed clouds, alter deployment manifests, or exfiltrate secrets.

Root Cause

The vulnerability is an improper certificate validation defect [CWE-295] in the Dqlite transport layer used by the Juju controller. Both client and server sides of the TLS handshake fail to enforce the certificate checks required by the cluster's mutual TLS design.

Attack Vector

Exploitation requires network reachability to the Juju controller's Dqlite port and no authentication, user interaction, or privileges. The attacker initiates a Dqlite cluster join handshake. Because client certificate validation is absent, the controller accepts the new node and begins replicating the database. The attacker then issues SQL operations directly against the replicated dataset. Refer to the GitHub Security Advisory GHSA-gvrj-cjch-728p for vendor-provided technical detail.

Detection Methods for CVE-2026-4370

Indicators of Compromise

  • Unexpected entries in Juju controller logs indicating a new Dqlite cluster member joining outside of planned controller scaling events.
  • TCP connections to the controller's Dqlite port originating from IP addresses that are not part of the documented controller HA set.
  • Unexplained changes to Juju model configuration, application secrets, or cloud credentials stored in the controller database.

Detection Strategies

  • Audit Dqlite cluster membership using juju administrative tooling and compare current members against the expected controller inventory.
  • Inspect controller logs for TLS handshake events on the Dqlite port and flag sessions where the peer certificate was not issued by the controller certificate authority.
  • Monitor for network flows to the Dqlite port from sources outside the controller management subnet.

Monitoring Recommendations

  • Forward Juju controller logs and host network telemetry to a centralized analytics platform for correlation across controllers.
  • Alert on any new Raft peer addition events outside of approved change windows.
  • Track outbound activity from controller hosts following suspicious join events to identify credential abuse against managed clouds.

How to Mitigate CVE-2026-4370

Immediate Actions Required

  • Upgrade Juju controllers to a fixed release as listed in the Juju security advisory.
  • Restrict network access to the controller's Dqlite port to only the IP addresses of legitimate controller HA peers using host or cloud firewall rules.
  • Rotate any secrets, cloud credentials, and SSH keys stored in the Juju controller if unauthorized cluster membership cannot be ruled out.

Patch Information

Canonical has released fixed versions beyond Juju 3.6.19 and 4.0.4. Operators should consult the GitHub Security Advisory GHSA-gvrj-cjch-728p for the exact patched release numbers and upgrade procedure for high-availability controllers.

Workarounds

  • Place Juju controllers on an isolated management network and block the Dqlite port at the perimeter firewall.
  • Use cloud security group rules or Kubernetes NetworkPolicies to allow Dqlite traffic only between known controller pods or instances.
  • Until patched, increase logging verbosity on controllers and review Dqlite peer additions daily.
bash
# Example: restrict Dqlite port to known controller peers using iptables
# Replace 17070 with the actual Dqlite port and update peer IPs for your environment
iptables -A INPUT -p tcp --dport 17070 -s 10.0.0.11 -j ACCEPT
iptables -A INPUT -p tcp --dport 17070 -s 10.0.0.12 -j ACCEPT
iptables -A INPUT -p tcp --dport 17070 -s 10.0.0.13 -j ACCEPT
iptables -A INPUT -p tcp --dport 17070 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechCanonical Juju
  • SeverityCRITICAL
  • CVSS Score10.0
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-295
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-32692: Canonical Juju Auth Bypass Vulnerability
  • CVE-2026-32693: Canonical Juju Auth Bypass Vulnerability
  • CVE-2026-32691: Canonical Juju Race Condition Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
Get a DemoContact Us
  • Product Tours
  • Why SentinelOne
  • Pricing & Packages
  • FAQ
  • SentinelOne Status

Key Products & Solutions

  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Prompt Security
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Explore Solutions

Services

  • Wayfinder TDR
  • Managed Detection and Response
  • Threat Hunting
  • Incident Readiness
& Response
  • Technical Account Management
  • Guided Onboarding 
& Deployment
  • Support Services

Company

  • About Us
  • Our Customers
  • Careers
  • Partners
  • S1 Foundation
  • S1 Ventures
  • Legal Information
  • Security & Compliance
  • Investor Relations

Quick Links

  • Customer Portal
  • Partner Portal
  • Become a Partner
  • Resource Center
  • SentinelLABS Threat Research
  • Blog
  • Press Center
  • Cybersecurity 101
  • Events
  • Ransomware Anthology
©2026 SentinelOne, All Rights Reserved
Privacy NoticeTerms of Use
English
English