CVE-2026-5774
Improper Synchronization in Juju API Server Causes DoS, Token Reuse
Publication date: 2026-04-10
Last updated on: 2026-04-22
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | juju | to 2.9.57 (exc) |
| canonical | juju | From 3.0 (inc) to 3.6.21 (exc) |
| canonical | juju | From 4.0 (inc) to 4.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5774 is a concurrency and persistence flaw in the Juju API server's handling of discharge tokens used for local authentication. The server maintains an in-memory map called userTokens to store these tokens after successful authentication. However, this map is accessed concurrently by multiple HTTP handler goroutines without any synchronization mechanisms like mutexes.
Because of this lack of synchronization, concurrent reads, writes, and deletes on the map can cause race conditions. This can lead to two main problems: denial of service due to server crashes from concurrent map access violations, and token replay where a single-use discharge token can be used multiple times because the read-and-delete operation is not atomic.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user to cause a denial of service (DoS) on the Juju API server. The server may crash due to concurrent map access violations, making the service unavailable to all clients and agents.
Additionally, it can allow token replay attacks where a single-use discharge token can be reused multiple times. This breaks the intended security model and could allow repeated authentication with the same token, potentially compromising the integrity of the authentication process.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing abnormal crashes or panics in the Juju API server logs caused by concurrent map access violations. Monitoring for repeated server process terminations or denial of service symptoms when multiple authenticated users send concurrent discharge token requests may indicate exploitation attempts.
A proof-of-concept involves sending multiple concurrent discharge requests with the same token to trigger the race condition. Network traffic analysis tools can be used to detect such repeated concurrent requests from the same user.
Specific commands to detect this vulnerability are not provided in the resources, but general approaches include:
- Checking Juju API server logs for Go runtime panics related to concurrent map access.
- Using network monitoring tools (e.g., tcpdump, Wireshark) to identify multiple concurrent discharge token requests from the same authenticated user.
- Testing with custom scripts that simulate concurrent discharge token requests to observe if the server crashes or allows token reuse.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading the Juju API server to a patched version where the concurrency issue is fixed. The vulnerability is resolved in Juju versions 2.9.57, 3.6.21, and 4.0.6.
Until an upgrade can be performed, consider limiting or monitoring concurrent discharge token requests from authenticated users to reduce the risk of triggering the race condition.
Implementing additional network-level controls such as rate limiting or access restrictions on the API server may help mitigate exploitation attempts.