CVE-2026-5774
Received Received - Intake
Improper Synchronization in Juju API Server Causes DoS, Token Reuse

Publication date: 2026-04-10

Last updated on: 2026-04-22

Assigner: Canonical Ltd.

Description
Improper synchronization of the userTokens map in the API server in Canonical JujuΒ 4.0.5,Β 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5774
EUVD
EUVD-2026-21366
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
canonical juju to 2.9.57 (exc)
canonical juju From 3.0 (inc) to 3.6.21 (exc)
canonical juju From 4.0 (inc) to 4.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5774 is a concurrency and persistence flaw in the Juju API server's handling of discharge tokens used for local authentication. The server maintains an in-memory map called userTokens to store these tokens after successful authentication. However, this map is accessed concurrently by multiple HTTP handler goroutines without any synchronization mechanisms like mutexes.

Because of this lack of synchronization, concurrent reads, writes, and deletes on the map can cause race conditions. This can lead to two main problems: denial of service due to server crashes from concurrent map access violations, and token replay where a single-use discharge token can be used multiple times because the read-and-delete operation is not atomic.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to cause a denial of service (DoS) on the Juju API server. The server may crash due to concurrent map access violations, making the service unavailable to all clients and agents.

Additionally, it can allow token replay attacks where a single-use discharge token can be reused multiple times. This breaks the intended security model and could allow repeated authentication with the same token, potentially compromising the integrity of the authentication process.

Detection Guidance

This vulnerability can be detected by observing abnormal crashes or panics in the Juju API server logs caused by concurrent map access violations. Monitoring for repeated server process terminations or denial of service symptoms when multiple authenticated users send concurrent discharge token requests may indicate exploitation attempts.

A proof-of-concept involves sending multiple concurrent discharge requests with the same token to trigger the race condition. Network traffic analysis tools can be used to detect such repeated concurrent requests from the same user.

Specific commands to detect this vulnerability are not provided in the resources, but general approaches include:

  • Checking Juju API server logs for Go runtime panics related to concurrent map access.
  • Using network monitoring tools (e.g., tcpdump, Wireshark) to identify multiple concurrent discharge token requests from the same authenticated user.
  • Testing with custom scripts that simulate concurrent discharge token requests to observe if the server crashes or allows token reuse.
Mitigation Strategies

Immediate mitigation involves upgrading the Juju API server to a patched version where the concurrency issue is fixed. The vulnerability is resolved in Juju versions 2.9.57, 3.6.21, and 4.0.6.

Until an upgrade can be performed, consider limiting or monitoring concurrent discharge token requests from authenticated users to reduce the risk of triggering the race condition.

Implementing additional network-level controls such as rate limiting or access restrictions on the API server may help mitigate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart