JustAppSec
Back to news

Critical TLS auth bypass lets attackers join Juju controller database

1 min readPublished 01 Apr 2026Source: GitHub Security Advisory (juju/juju)
CVE-2026-4370NewsCloudDevSecOpsIdentity

TL;DR - Juju's internal Dqlite cluster doesn't validate client certs when a new node joins, and the client side doesn't validate the server cert either. Reach port 17666, join the cluster, read and modify all controller state. CVSS 10.0.

What happened

Juju is Canonical's application orchestration system.

CVE-2026-4370: Juju's internal Dqlite database cluster fails to enforce mutual authentication. Controller's database endpoint doesn't validate client certificates at join time, and the client TLS config doesn't validate the server certificate either (advisory calls out MITM). Network-reachable attacker joins the cluster, reads/modifies controller data, escalates privileges, alters firewall exposure.

Severity CVSS v3.1 10.0 (Critical). Control-plane trust-boundary failure with high blast radius - if port reachability exists, the controller database becomes a remote entry point for full state compromise.

Who is impacted

  • Any Juju controller since 3.2.0 (per advisory).
  • Environments where an attacker can reach the Juju controller’s Dqlite cluster endpoint (the advisory’s workaround guidance specifically calls out port 17666).
ComponentAffected versions (per advisory)Patched versions (per advisory)
juju>= 3.2.03.6.20, 4.0.5

What to do now

  • Follow vendor remediation guidance and apply patched Juju releases.

    • "Juju versions 3.6.20 and 4.0.5 are patched to fix this issue."

  • If you cannot patch immediately, apply the vendor-recommended workarounds to restrict Dqlite cluster connectivity:

    • "Port 17666 must only be connected to by other controller IP addresses."

    • "block incoming connections to port 17666 and outgoing connections to any port 17666."

  • Inventory Juju controllers and validate network exposure (cloud security groups, host firewalls, Kubernetes NetworkPolicy, and routing) specifically for the Dqlite cluster endpoint.
  • Treat unexpected Dqlite cluster membership or unexplained controller-state changes as potential compromise signals; prioritize review of controller configuration and access changes after exposure is contained.

Related

Research

Guides

Training

Need help?Get in touch.