Critical TLS auth bypass lets attackers join Juju controller database

1 min readPublished 01 Apr 2026Source: GitHub Security Advisory (juju/juju)

CVE-2026-4370 News Cloud DevSecOps Identity

TL;DR — A critical TLS authentication flaw lets unauthenticated attackers join Juju’s controller Dqlite cluster and read/modify controller state over the network.

What happened

Juju is Canonical’s application orchestration system used to manage and operate workloads via a Juju controller.

A GitHub security advisory (CVE-2026-4370) reports that Juju’s internal Dqlite database cluster fails to enforce proper mutual authentication: the controller’s database endpoint does not validate client certificates when a new node joins, and the client-side TLS configuration also does not properly validate the server certificate (MITM is called out as possible). The advisory states that an attacker with network route-ability to the controller’s Dqlite cluster endpoint can join the cluster and then read and modify controller data, including changes that can effectively escalate privileges and alter firewall exposure.

Severity is CVSS v3.1 10.0 (Critical). This is a high-blast-radius control-plane trust-boundary failure: if port-level reachability to the Dqlite cluster exists, the controller database becomes a remote entry point for full state compromise.

Who is impacted

Any Juju controller since 3.2.0 (per advisory).
Environments where an attacker can reach the Juju controller’s Dqlite cluster endpoint (the advisory’s workaround guidance specifically calls out port 17666).

Component	Affected versions (per advisory)	Patched versions (per advisory)
`juju`	`>= 3.2.0`	`3.6.20`, `4.0.5`

What to do now

Follow vendor remediation guidance and apply patched Juju releases.
- "Juju versions 3.6.20 and 4.0.5 are patched to fix this issue."
If you cannot patch immediately, apply the vendor-recommended workarounds to restrict Dqlite cluster connectivity:
- "Port 17666 must only be connected to by other controller IP addresses."
- "block incoming connections to port 17666 and outgoing connections to any port 17666."
Inventory Juju controllers and validate network exposure (cloud security groups, host firewalls, Kubernetes NetworkPolicy, and routing) specifically for the Dqlite cluster endpoint.
Treat unexpected Dqlite cluster membership or unexplained controller-state changes as potential compromise signals; prioritize review of controller configuration and access changes after exposure is contained.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.