CVE-2026-1237

CWE-347CWE-6726 documents5 sources
Severity
2.1LOW
EPSS
0.0%
top 99.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Juju/jujuCanonical Juju
Timeline
PublishedJan 28
Latest updateFeb 2

Description

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Packages2 packages

Gogithub.com/juju/juju0.0.0-20260127110037-9b1a0e53a4a4
CVEListV5canonical/juju0

🔴Vulnerability Details

4
OSV
Juju has broken CMR authorization in github.com/juju/juju2026-02-02
GHSA
Juju has broken CMR authorization2026-01-29
OSV
Juju has broken CMR authorization2026-01-29
CVEList
CVE-2026-1237: Vulnerable cross-model authorization in juju2026-01-28

🕵️Threat Intelligence

1
Wiz
CVE-2026-1237 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1237 (LOW CVSS 2.1) | Vulnerable cross-model authorizatio | cvebase.io