CVE-2026-4370: Critical Authentication Bypass in Canonical Juju Dqlite Cluster

Canonical Juju utilizes Dqlite (Distributed SQLite) as a high-availability database cluster to manage the state of models and units. The Dqlite service runs on the Juju controller and communicates over port 17666. This internal cluster relies on mutual TLS (mTLS) to authenticate nodes and secure inter-node communication.

CVE-2026-4370 represents a critical authentication bypass within this Dqlite component. The vulnerability exists due to a failure to validate client certificates during the cluster-join handshake. This flaw is categorized under CWE-295 (Improper Certificate Validation) and CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers with network access to port 17666 can join the database cluster without possessing a valid internal certificate. Successful exploitation grants full read and write access to the underlying Juju state database. The compromise of the Dqlite database enables control over all environments managed by the Juju controller.

The Dqlite cluster-join handshake logic coordinates the addition of new nodes to the existing high-availability cluster. A new node initiates a Join() request over a TLS connection to integrate with the cluster. The Juju controller is designed to enforce mTLS to verify the joining node's identity against the internal certificate authority.

The vulnerability stems from a specific failure in the server-side TLS configuration of the Juju controller. The TLS implementation accepts the incoming connection but fails to enforce the requirement for a valid, Juju-issued client certificate. This oversight allows an attacker to complete the TLS handshake anonymously.

Because the handshake succeeds without validation, the controller registers the unauthenticated node as a legitimate cluster member. This registration triggers the Dqlite replication protocol to begin state synchronization. The underlying issue is a disconnect between the transport-layer security requirements and the application-layer cluster membership logic.

During the vulnerability lifecycle, developers introduced commit 001318f51ac456602aef20b123684f1eeeae9a77 to harden application-layer logic. This patch tightens the state management routines in domain/application/state/unit.go specifically concerning the UpdateUnitCharm function. The modification ensures the target charm is explicitly authorized for the parent application before allowing a unit update.

The following conceptual code illustrates the vulnerable application-layer logic before the patch, which relied on the assumption that only authenticated cluster members could invoke state changes:

// Pre-patch logic omitted authorization checks
func (s *State) UpdateUnitCharm(unitUUID string, charmID string) error {
    // Vulnerable: Direct update without parent app authorization
    return s.db.Exec("UPDATE unit SET charm_id = ? WHERE uuid = ?", charmID, unitUUID)
}

This application-level patch provides zero protection against an adversary exploiting CVE-2026-4370. Because the TLS flaw grants direct, unauthenticated SQL access to the Dqlite database, an attacker completely bypasses the UpdateUnitCharm Go-level logic. An adversary can execute raw SQL UPDATE statements on the unit table directly over the compromised Dqlite replication channel.

An attacker initiates the exploit chain by identifying a Juju controller with an exposed Dqlite port, defaulting to 17666. The attacker utilizes a custom or modified go-dqlite client to establish a TCP connection to this endpoint. The exploit requires direct network reachability to the controller.

The attacker sends a Join request over the established connection. The attacker specifically omits a valid client certificate during the TLS handshake. The controller processes the request and, due to the missing validation logic, accepts the unauthenticated connection.

Following the successful join operation, the controller immediately begins replicating the SQLite database state to the attacker's node. The attacker receives a complete, live copy of the Juju environment's configuration. The replication process exposes all stored administrative data.

The attacker executes the final phase by injecting malicious SQL commands into their local Dqlite node. These commands replicate back to the controller's primary database. The attacker can alter unit configurations, deploy malicious charms, or extract plaintext cloud credentials stored within the database schema.

CVE-2026-4370 carries a critical CVSS v3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The network attack vector and the lack of required privileges maximize the exploitability score. The changed scope reflects the complete compromise of the underlying environments managed by the vulnerable Juju controller.

The confidentiality impact is severe. The Dqlite database stores highly sensitive operational data, including administrative credentials, environment variables, and cloud provider secrets. An attacker can extract these secrets to pivot from the Juju management plane directly into the connected cloud infrastructure.

The integrity and availability impacts result in total system compromise. The attacker possesses full write access to the internal Juju state. They can destructively modify the database, deploy malicious workloads via rogue charms, or dismantle the entire managed environment by issuing arbitrary SQL commands.

Administrators must upgrade Juju controllers running vulnerable 3.x versions to 3.6.20 immediately. Environments running vulnerable 4.0.x versions must upgrade to 4.0.5. These patched releases correct the TLS configuration to enforce strict mTLS client certificate validation during the Dqlite join process.

Organizations unable to patch immediately must implement network-level mitigation strategies. Administrators must deploy strict firewall rules restricting access to port 17666. This port must only be reachable by authorized internal Juju cluster nodes and must be strictly isolated from the public internet or untrusted networks.

Security teams should monitor network traffic for anomalous connection attempts to port 17666 from unrecognized IP addresses. Administrators should review Juju controller logs for unexpected cluster membership changes or unauthorized Dqlite join events. Deploying Nuclei detection templates can identify exposed Dqlite endpoints, though active protocol interaction is required to confirm vulnerability.