CVE-2026-5774

Published: Apr 10, 2026

Modified: Apr 10, 2026

PUBLISHED

Description

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

Vendor	Product	Versions
Canonical	Juju	affected `2.0.0 - < 2.9.57` affected `3.0.0 - < 3.6.21` affected `4.0.0 - < 4.0.6`

Weaknesses (CWE)

CWE-362

References

In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence

vdb-entry

vendor-advisory

https://github.com/juju/juju/pull/22206

patch

issue-tracking

https://github.com/juju/juju/pull/22205

patch

issue-tracking

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-5774

Description

Affected Products

Weaknesses (CWE)

References