CVE-2026-4370CRITICAL 10.0EPSS p29.8%

CVE-2026-4370CVE-2026-4370

Description

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.8% · 2026-06-18T12:00:27Z
Published2026-04-01
Last modified2026-04-02

Underlying weaknesses· 2

CWE-295CWE-306

References

  1. https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p

2

TypeTargetConfidenceTier
WeaknessImproper Certificate Validationcwe-2950%live
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32693
CVE
CVE-2025-0928
CVE
CVE-2026-27173
CVE
CVE-2026-35563
CVE
CVE-2025-34271
CVE
CVE-2026-32992
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.