CVE-2026-1237
published 2026-01-28CVE-2026-1237: Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database…
PriorityP412low2.1CVSS 4.0
AVAACHATPPRLUINVCLVILVALSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.13%
3.2th percentile
Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | — | — |
| github.com | juju_juju | 0 – 0.0.0-20260127110037-9b1a0e53a4a4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju has broken CMR authorization in github.com/juju/juju
osv·2026-02-02
CVE-2026-1237 Juju has broken CMR authorization in github.com/juju/juju
Juju has broken CMR authorization in github.com/juju/juju
Juju has broken CMR authorization in github.com/juju/juju
GHSA
Juju has broken CMR authorization
ghsa·2026-01-29
CVE-2026-1237 [LOW] CWE-347 Juju has broken CMR authorization
Juju has broken CMR authorization
### Impact
Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.
### Scenario
A user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does
OSV
Juju has broken CMR authorization
osv·2026-01-29
CVE-2026-1237 [LOW] Juju has broken CMR authorization
Juju has broken CMR authorization
### Impact
Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.
### Scenario
A user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does
No detection rules found.
No public exploits indexed.
2026-01-28
Published