Denial of Service Vulnerability in Canonical Juju API Server
CVE-2026-5774

6.1MEDIUM

Key Information:

Vendor

Canonical

Status
Juju
Vendor
CVE Published:
10 April 2026

What is CVE-2026-5774?

The Canonical Juju API server versions 4.0.5, 3.6.20, and 2.9.56 have a vulnerability due to improper synchronization of the userTokens map. This issue can potentially allow authenticated users to trigger a denial of service on the server by exploiting concurrency issues, leading to downtime or service interruptions. Additionally, this vulnerability may enable the reuse of single-use discharge tokens, compromising the integrity of token-based authentication mechanisms.

Affected Version(s)

Juju Linux 2.0.0 < 2.9.57

Juju Linux 3.0.0 < 3.6.21

Juju Linux 4.0.0 < 4.0.6

References

https://github.com/juju/juju/security/advisories/GHSA-7m5...
vdb-entryvendor-advisory
https://github.com/juju/juju/pull/22206
patchissue-tracking
https://github.com/juju/juju/pull/22205
patchissue-tracking

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.