{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5774", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-08T07:22:06.115Z", "datePublished": "2026-04-10T12:10:55.634Z", "dateUpdated": "2026-04-10T12:41:28.720Z"}, "containers": {"cna": {"title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map", "affected": [{"collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected", "packageName": "juju", "platforms": ["Linux"], "product": "Juju", "repo": "https://github.com/juju/juju", "vendor": "Canonical", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.6.21", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26: Leveraging Race Conditions"}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:10:55.634Z"}}, "adp": [{"references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T12:41:23.862481Z", "id": "CVE-2026-5774", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:41:28.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5774", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T12:41:23.862481Z"}}}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:41:02.565Z"}}], "cna": {"title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26: Leveraging Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical", "product": "Juju", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.6.21", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "juju", "collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:10:55.634Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5774", "state": "PUBLISHED", "dateUpdated": "2026-04-10T12:41:28.720Z", "dateReserved": "2026-04-08T07:22:06.115Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-10T12:10:55.634Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2161D9F-0627-4EAF-A6FD-81B9056D31FC", "versionEndExcluding": "2.9.57", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A328E22-F73A-45B4-907D-955B91B5E730", "versionEndExcluding": "3.6.21", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "7929B9F0-C9DA-4239-8264-EDC53068CEDF", "versionEndExcluding": "4.0.6", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "id": "CVE-2026-5774", "lastModified": "2026-04-22T20:46:45.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-10T13:16:46.070", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking"], "url": "https://github.com/juju/juju/pull/22205"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking"], "url": "https://github.com/juju/juju/pull/22206"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.9.57)"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.6.21)"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Juju", "source": "cna", "vendor": "Canonical"}, "product": "juju", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-04-10T13:20:44.193450+00:00", "value": {"mitigation_remediation": ["Apply the latest Juju release that contains the fix for the userTokens map synchronization issue.", "If an upgrade is not immediately possible, restrict API server access to trusted users and monitor for unusual token usage patterns."], "summary": {"action": "Patch Now", "impact": "Denial of Service and Token Replay"}, "threat_synthesis": {"affected_systems": "Canonical\u2019s Juju platform versions 4.0.5, 3.6.20 and 2.9.56 are vulnerable and should be upgraded if in use.", "description_and_impact": "An authentication race condition in the Juju API server\u2019s userTokens map allows a logged\u2011in user to manipulate token processing. The flaw can lead to two adverse outcomes: it may corrupt the map and bring the server down, or it can enable reuse of a single\u2011use discharge token, undermining the intended one\u2011time authenticity guarantee. This is a classic race condition (CWE\u2011362).", "risk_and_exploitability": "The CVSS score is 6.1, indicating a moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. An attacker must be authenticated to exploit the flaw, but once authenticated the potential to cause service interruption or bypass token restrictions makes timely remediation critical."}}}}, "created": "2026-04-10T14:40:46.975829+00:00", "updated": "2026-04-13T13:06:05.574564+00:00", "vendors": ["canonical", "canonical$PRODUCT$juju"]}