CVE-2026-5774

MEDIUM

Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Title source: cna

Description

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

References (3)

Core 3

Core References

Vendor Advisory vdb-entry vendor-advisory

In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence

https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78

Patch patch issue-tracking

https://github.com/juju/juju/pull/22206

Patch patch issue-tracking

https://github.com/juju/juju/pull/22205

Scores

CVSS v3 6.4

EPSS 0.0024

EPSS Percentile 15.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (5)

canonical/juju < 2.9.57

Canonical/Juju 2.0.0 - 2.9.57

Canonical/Juju 3.0.0 - 3.6.21

Canonical/Juju 4.0.0 - 4.0.6

juju/juju 0 - 0.0.0-20260408003526-d395054dc2c3Go

Published Apr 10, 2026

Tracked Since Apr 10, 2026