CVE-2026-5774

Description

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

Canonical / Juju2.0.0 – 2.9.57
Canonical / Juju3.0.0 – 3.6.21
Canonical / Juju4.0.0 – 4.0.6

References

VENDOR_ADVISORYhttps://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78
PATCHhttps://github.com/juju/juju/pull/22206
PATCHhttps://github.com/juju/juju/pull/22205