CVE-2026-4370: Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster

April 2, 2026 (updated April 8, 2026)

Any Juju controller since 3.2.0.

An attacker with only route-ability to the target juju controller Dqlite cluster endpoint may join the Dqlite cluster, read and modify all information, including escalating privileges, open firewall ports etc.

This is due to not checking the client certificate, additionally, the client does not check the server’s certificate (MITM attack possible), so anything goes.

https://github.com/juju/juju/blob/001318f51ac456602aef20b123684f1eeeae9a77/internal/database/node.go#L312-L324

References

github.com/advisories/GHSA-gvrj-cjch-728p
github.com/juju/juju
github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p
nvd.nist.gov/vuln/detail/CVE-2026-4370

Code Behaviors & Features

Detect and mitigate CVE-2026-4370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →