CVE-2026-5774: Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence

April 10, 2026 (updated April 27, 2026)

The localLoginHandlers struct in the Juju API server maintains an in-memory map to store discharge tokens following successful local authentication. This map is accessed concurrently from multiple HTTP handler goroutines without any synchronization primitive protecting it. The absence of a mutex or equivalent mechanism means that concurrent reads, writes, and deletes on the map can trigger Go runtime panics and may allow a discharge token to be consumed more than once before deletion completes.

References

github.com/advisories/GHSA-7m55-2hr4-pw78
github.com/juju/juju/pull/22205
github.com/juju/juju/pull/22206
github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78
nvd.nist.gov/vuln/detail/CVE-2026-5774

Code Behaviors & Features

Detect and mitigate CVE-2026-5774 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →