Juju 4.0.11

🗓️ 2 Jun 2026

This is a cumulative bug fix release for Juju 4.0, covering changes from 4.0.5 to 4.0.11.

🎯 Highlights

• Security and access checks are tighter: fixes cover dependency vulnerabilities, JAAS bakery authentication, offer permissions, credential access, and Kubernetes-backed user secret creation.

• Model migration and CMR are more reliable: Juju now handles remote secrets, external users, relation key ordering, local charms, and relation rejoin behavior more consistently during import and migration.

• Storage and Kubernetes lifecycle behavior is safer: storage removal, volume tracking, storage directives, block device provenance, Kubernetes redeployment, and container-machine startup all receive targeted fixes.

• Controller and worker stability improves: fixes reduce hangs, panics, goroutine leaks, watcher stalls, and API caller blocking in common controller and agent paths.

Full cumulative list of changes: https://github.com/juju/juju/compare/v4.0.5…20cb167e0dbadab011fcc246d7882220237e5606

🛠️ Fixes

🔒 Security, access, and authentication

This release tightens user, credential, offer, and secret access paths. It also includes dependency updates for security vulnerabilities in Go networking and streaming libraries.

• fix: add mutex to gate concurrent macaroon user token access

• fix(access): filter credential model access by owner only

• fix: application offers permission check

• fix: jaas-bakery missing cleanDischargeURL and key

• fix: resolve security vuln in golang.org/x/crypto/ssh

• fix: resolve vulns found in golang.org/x/net/html

• fix: pass new secret ID to K8s backend on user secret create

• fix(deps): upgrade github.com/moby/spdystream to v0.5.1

🔁 Migration, CMR, and relation correctness

Several fixes focus on the 3.6 to 4.0 transition path and CMR data correctness. Remote secrets, local charms, external users, relation key order, and relation rejoin behavior are handled more reliably.

• feat(cmr): add support for remote secrets handling during migration

• feat(cmr): implement support for importing remote secrets

• fix: bug with migrating local charms

• fix(secretbackend): migration for secret in builtin CaaS backend

• fix(modelmigration): create external users on model import

• fix(cmr): populate offer connection details in list-offers API response

• fix(uniter): re-integrating the same endpoints re-fires relation-joined

• fix: correct the order of relation key during import

🗃️ Storage and Kubernetes lifecycle

Storage handling is more robust across migration, refresh, removal, Kubernetes stateful workloads, and status output. The fixes reduce the chance of stale storage directives, lost volume context, incorrect provider data, or failed cleanup blocking model operations.

• feat: adopting filesystem from storage pool in storage domain service

• fix: drain storage provisioner worker timers

• fix: removal of units with storage

• fix: preserve unit storage directives during charm refresh

• fix: gracefully handle error when storage backing is not found

• fix: track block device provenance

• fix: return error instead of dropping unmatched storage attachments

• fix(storage): ensure storage pool is included

• fix: k8s redeployment issue with unit starting ordinal change

• fix: preserve remove-storage attachment errors

• fix: uninstall lxd-container-provisioner manifold on container machines

🧱 Controller, API, worker, and provisioning stability

Controller and agent workers now handle more edge cases without hanging, blocking, leaking goroutines, or panicking. The fixes target API callers, watchers, the async charm downloader, the provisioner, the SSH server, Dqlite listen addresses, and dbaccessor shutdown behavior.

• fix: apiremotecaller racy report

• fix: only report controller set changes in apiaddresssetter

• fix: avoid blocking the apiremoterelationcaller loop

• fix: over-eager http client creation in asynccharmdownloader

• fix: sshserver check watcher closure and port changes

• fix: dbaccessor merged-channel leak

• fix: infinite recursive loop in provisioner task

• feat: add a timeout to downloads for asynccharmdownloader

• fix: dqlite mutual TLS dbaccessor now uses mutual TLS for dqlite peers

• fix: misc asynccharmdownloader issues

• fix: api remote caller

• fix: prevent panic in provisioner

🧭 Operator-facing CLI, status, network, and offer output

User-facing output is more accurate and consistent. Fixes include command output formatting, controller port reporting, relation network data, network-get, offer listing, application-storage size display, hostname handling, and stable relation information ordering.

• fix(actions): preserve newlines in exec JSON output

• feat: relation ingress and egress data for unit settings

• fix: add controller ports in status output

• fix: persist Hostname when importing machine

• fix: list-offers by matching juju 3 behavior

• fix: network-get for mismatched endpoint and relation

• fix: application-storage tabular output to use humanize size

• fix(relation): restore stable relation-info order

📘 Summary

4.0.11 is a broad reliability patch release. It hardens Juju’s access and authentication behavior, closes security dependency gaps, improves the migration and CMR path from 3.6 to 4.0, and fixes storage, Kubernetes, worker, API, and operator-output issues found after 4.0.5.