CVE-2026-5774 - Vulnerability Details - OpenCVE

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Canonical	Juju

No data.

No data.

References

Link	Providers
https://github.com/juju/juju/pull/22205
https://github.com/juju/juju/pull/22206
https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78

History

Fri, 10 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canonical Canonical juju
Vendors & Products		Canonical Canonical juju

Fri, 10 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
Title		Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map
Weaknesses		CWE-362
References		https://github.com/juju/juju/pull/22205 https://github.com/juju/juju/pull/22206 https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78
Metrics		cvssV4_0 `{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-10T12:10:55.634Z

Updated: 2026-04-10T12:41:28.720Z

Reserved: 2026-04-08T07:22:06.115Z

Link: CVE-2026-5774

Vulnrichment

Updated: 2026-04-10T12:41:02.565Z

NVD

Status : Received

Published: 2026-04-10T13:16:46.070

Modified: 2026-04-10T13:16:46.070

Link: CVE-2026-5774

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5774", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-08T07:22:06.115Z", "datePublished": "2026-04-10T12:10:55.634Z", "dateUpdated": "2026-04-10T12:41:28.720Z"}, "containers": {"cna": {"title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map", "affected": [{"collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected", "packageName": "juju", "platforms": ["Linux"], "product": "Juju", "repo": "https://github.com/juju/juju", "vendor": "Canonical", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.6.21", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26: Leveraging Race Conditions"}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:10:55.634Z"}}, "adp": [{"references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T12:41:23.862481Z", "id": "CVE-2026-5774", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:41:28.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5774", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T12:41:23.862481Z"}}}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:41:02.565Z"}}], "cna": {"title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26: Leveraging Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical", "product": "Juju", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.9.57", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.6.21", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "juju", "collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78", "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/juju/juju/pull/22206", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/juju/juju/pull/22205", "tags": ["patch", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-10T12:10:55.634Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5774", "state": "PUBLISHED", "dateUpdated": "2026-04-10T12:41:28.720Z", "dateReserved": "2026-04-08T07:22:06.115Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-10T12:10:55.634Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."}], "id": "CVE-2026-5774", "lastModified": "2026-04-10T13:16:46.070", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-10T13:16:46.070", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/juju/juju/pull/22205"}, {"source": "security@ubuntu.com", "url": "https://github.com/juju/juju/pull/22206"}, {"source": "security@ubuntu.com", "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security@ubuntu.com", "type": "Secondary"}]}