CVE-2026-1237
Lifecycle Timeline
2DescriptionCVE.org
Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
AnalysisAI
Vulnerable cross-model authorization in juju.
Technical ContextAI
Classified as CWE-347 (Improper Verification of Cryptographic Signature). Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Affected ProductsAI
Vulnerable cross-model authorization in juju
RemediationAI
Monitor vendor advisories for a patch.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j477-6vpg-6c8x