CVE-2026-4370 — AI Deep Analysis Summary

🚨 **Essence**: Juju's internal Dqlite cluster fails TLS auth. 📉 **Consequences**: Unauthenticated attackers join the cluster, gaining full read/write access to the underlying database.…

🛡️ **CWE**: CWE-295 (Improper Certificate Validation). 🔍 **Flaw**: The internal Dqlite database cluster does not enforce correct TLS client and server identity verification. 🚫 Trust is assumed without proof.

🏢 **Vendor**: Canonical. 📦 **Product**: Juju. 📅 **Affected Versions**: 3.2.0 to 3.6.19 AND 4.0 to 4.0.4. ⚠️ Check your version immediately!

🕵️ **Privileges**: Unauthenticated access. 🗄️ **Data Impact**: Full Read/Write access to the database. 📜 **Action**: Attackers can modify, delete, or exfiltrate any data stored in Juju's state. 🚨 Critical risk.

📉 **Threshold**: LOW. 🌐 **Network**: Network Accessible (AV:N). 🔑 **Auth**: None required (PR:N). 🤝 **User Interaction**: None (UI:N). 🚀 Easy to exploit remotely without credentials.

🚫 **Public Exp**: No PoC listed in data. 📂 **References**: GitHub Security Advisory (GHSA-gvrj-cjch-728p) exists. ⚠️ Wild exploitation likely imminent due to low barrier.

🔍 **Check**: Scan for Juju versions 3.2.0-3.6.19 & 4.0-4.0.4. 📡 **Feature**: Look for Dqlite clusters with weak TLS config. 🛠️ **Tool**: Use vulnerability scanners detecting CWE-295 in Juju deployments.

✅ **Fixed**: Yes. 📦 **Patch**: Upgrade to Juju > 3.6.19 or > 4.0.4. 🔗 **Source**: Canonical Security Advisories. 🔄 Immediate update required.

🛑 **Workaround**: Isolate Dqlite nodes. 🔒 **Network**: Restrict access to Dqlite ports via firewall. 🚫 **Auth**: Enforce strict network segmentation if patching is delayed. ⏳ Temporary fix only.

🔥 **Priority**: CRITICAL. 📊 **CVSS**: 9.8 (High). 🚨 **Urgency**: Patch NOW. ⚡ Unauthenticated remote code/data access is a top-tier threat. Do not delay.