Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0938

NIXPKGS-2026-0938
published on
Permalink CVE-2026-4370
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 8 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 12 hours ago
  • @LeSuisse removed package jujutsu 9 hours ago
  • @LeSuisse removed package jujuutils 9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 8 hours ago
Improper TLS Client/Server authentication and certificate verification on Database Cluster

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

Affected products

juju
  • <4.0.4
  • <3.6.20

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

Ignored packages (2)

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2
  • nixos-25.11 0.2
    • nixos-25.11-small 0.2
    • nixpkgs-25.11-darwin 0.2

Package maintainers

Advisory: https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p