NIXPKGS-2026-1074

GitHub issue published on

Permalink CVE-2026-5774

updated 22 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 4 hours ago
@LeSuisse removed
2 packages
- jujutsu
- jujuutils
23 hours ago
@LeSuisse ignored reference In-Memory… 23 hours ago
@LeSuisse accepted 23 hours ago
@LeSuisse published on GitHub 22 hours ago

Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

References

https://github.com/juju/juju/pull/22206 issue-trackingpatch
https://github.com/juju/juju/pull/22205 issue-trackingpatch
https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78 exploit

Ignored references (1)

In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence vdb-entryvendor-advisory

Affected products

juju

<3.6.21
<4.0.6
<2.9.57

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable 3.6.12
- nixpkgs-unstable 3.6.12
- nixos-unstable-small 3.6.12
nixos-25.11 3.6.11
- nixos-25.11-small 3.6.11
- nixpkgs-25.11-darwin 3.6.11

Ignored packages (2)

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable 0.40.0
- nixpkgs-unstable 0.40.0
- nixos-unstable-small 0.40.0
nixos-25.11 0.35.0
- nixos-25.11-small 0.35.0
- nixpkgs-25.11-darwin 0.35.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-25.11 0.2
- nixos-25.11-small 0.2
- nixpkgs-25.11-darwin 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>

Nixpkgs security tracker