Description
Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Published: 2026-01-28
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized cross-model relations leading to privilege escalation
Action: Assess
AI Analysis

Impact

A cross-model authorization flaw in Juju permits a malicious user who can alter database records to forge macaroons that the controller incorrectly validates even when permissions are revoked or expired. This flaw allows a charm to preserve or re-establish cross-model relations and utilize another charm’s workload without consent, effectively enabling unauthorized access or data manipulation. The weakness falls under the CWE categories related to resource manipulation and implicit deletion, and the CVSS rating of 2.1 indicates it is a low-severity issue, albeit one that can impact confidentiality and integrity of inter-charm interactions.

Affected Systems

This vulnerability affects Canonical’s Juju platform; no specific version numbers are provided, so all current releases prior to a future fix are potentially impacted. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 2.1 combined with an EPSS of less than 1% suggests a low exploitation probability, and the flaw is not yet catalogued in the KEV registry. The attack likely requires local or privileged database write access to create the forged macaroons, limiting the attack surface. Nonetheless, in environments where charms interact across models, the risk of unauthorized privilege escalation remains a concern.

Generated by OpenCVE AI on April 18, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict database write permissions to trusted administrative users to prevent unauthorized macaroon creation.
  • Review and tighten cross-model relation configurations, disabling or limiting relations that are not strictly necessary.
  • Implement regular audits of charm interactions to detect unexpected access patterns and ensure macaroons are validated against current permission states.

Generated by OpenCVE AI on April 18, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j477-6vpg-6c8x Juju has broken CMR authorization
History

Sat, 18 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Cross-Model Authorization Bypass Allowing Unauthorized Charm Interaction

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical juju
Vendors & Products Canonical
Canonical juju

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Weaknesses CWE-347
CWE-672
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Canonical Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-01-28T15:06:23.120Z

Reserved: 2026-01-20T16:56:24.051Z

Link: CVE-2026-1237

cve-icon Vulnrichment

Updated: 2026-01-28T15:06:17.121Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T15:16:16.363

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses