Can you explain this vulnerability to me?

CVE-2026-4370 is a critical security vulnerability in Juju controllers (versions 3.2.0 to 3.6.19 and 4.0 to 4.0.4) related to improper TLS client and server authentication within the internal Dqlite database cluster.

Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. This means an attacker with network access to the Juju controller's Dqlite port can join the database cluster without proper authentication.

Once the attacker joins the cluster, they gain full read and write access to the underlying database, allowing them to read, modify data, escalate privileges, and compromise the entire cluster.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an unauthenticated attacker with network access to the Juju controller's Dqlite port to join the database cluster as a rogue member.

The attacker can then read and modify all cluster data, including sensitive user information, escalate privileges, and potentially open firewall ports.

This leads to total data compromise within the Juju controller's database cluster, severely impacting the confidentiality, integrity, and availability of your system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring network traffic to the Juju controller's Dqlite cluster port (default port 17666) for unauthorized or unexpected connections, as the flaw allows unauthenticated attackers to join the cluster.

A practical detection method involves checking for any unknown clients connecting to port 17666 on the Juju controller, which should normally only accept connections from trusted controller IPs.

While no specific detection commands are provided, network administrators can use tools like netstat, ss, or tcpdump to monitor connections on port 17666. For example:

• netstat -an | grep 17666
• ss -tnlp | grep 17666
• tcpdump -i <interface> port 17666

Additionally, reviewing Juju controller logs for unexpected cluster join events or anomalies may help detect exploitation attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation is to upgrade Juju to patched versions 3.6.20 or 4.0.5 or later, where the TLS authentication flaw is fixed.

If immediate patching is not possible, temporary mitigations include:

• Restrict network access to port 17666 so that only trusted Juju controller IP addresses can connect.
• Disable High Availability (HA) by reducing to a single Juju controller and blocking all incoming and outgoing connections on port 17666.

These mitigations reduce exposure but do not fix the underlying TLS verification flaw, so upgrading remains essential.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an unauthenticated attacker to join the Juju controller's internal Dqlite database cluster and gain full read and write access to sensitive data, including user information. Such unauthorized access and potential data modification represent a severe security breach.

Because the attacker can compromise the confidentiality, integrity, and availability of data, this flaw could lead to violations of common data protection standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

Failure to properly authenticate and secure access to critical databases may result in non-compliance with these regulations, potentially leading to legal penalties, loss of trust, and damage to organizational reputation.

Useful 0 Not Useful 0