{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1237", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-01-20T16:56:24.051Z", "datePublished": "2026-01-28T15:01:46.364Z", "dateUpdated": "2026-01-28T15:06:23.120Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "juju", "vendor": "Canonical", "versions": [{"status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 2.1, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-672", "description": "CWE-672 Operation on a Resource after Expiration or Release", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-01-28T15:01:46.364Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:05:47.431871Z", "id": "CVE-2026-1237", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:06:23.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:05:47.431871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:06:17.121Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Canonical", "product": "juju", "versions": [{"status": "affected", "version": "0", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"}], "descriptions": [{"lang": "en", "value": "Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-672", "description": "CWE-672 Operation on a Resource after Expiration or Release"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-01-28T15:01:46.364Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1237", "state": "PUBLISHED", "dateUpdated": "2026-01-28T15:06:23.120Z", "dateReserved": "2026-01-20T16:56:24.051Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-01-28T15:01:46.364Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."}, {"lang": "es", "value": "Autorizaci\u00f3n entre modelos vulnerable en juju. Si los permisos entre modelos de un charm son revocados o expiran, un usuario malintencionado que es capaz de actualizar registros de la base de datos puede acu\u00f1ar un macaroon inv\u00e1lido que es validado incorrectamente por el controlador de juju, permitiendo que un charm mantenga permisos que de otro modo estar\u00edan revocados o expirados. Esto permite a un charm continuar relacion\u00e1ndose con otro charm en una relaci\u00f3n entre modelos, y usar su carga de trabajo sin su permiso. No hay soluci\u00f3n disponible al momento de escribir."}], "id": "CVE-2026-1237", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-01-28T15:16:16.363", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}, {"lang": "en", "value": "CWE-672"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:43:57.526466+00:00", "value": {"mitigation_remediation": ["Restrict database write permissions to trusted administrative users to prevent unauthorized macaroon creation.", "Review and tighten cross-model relation configurations, disabling or limiting relations that are not strictly necessary.", "Implement regular audits of charm interactions to detect unexpected access patterns and ensure macaroons are validated against current permission states."], "summary": {"action": "Assess", "impact": "Unauthorized cross-model relations leading to privilege escalation"}, "threat_synthesis": {"affected_systems": "This vulnerability affects Canonical\u2019s Juju platform; no specific version numbers are provided, so all current releases prior to a future fix are potentially impacted. No other vendors or products are listed.", "description_and_impact": "A cross-model authorization flaw in Juju permits a malicious user who can alter database records to forge macaroons that the controller incorrectly validates even when permissions are revoked or expired. This flaw allows a charm to preserve or re-establish cross-model relations and utilize another charm\u2019s workload without consent, effectively enabling unauthorized access or data manipulation. The weakness falls under the CWE categories related to resource manipulation and implicit deletion, and the CVSS rating of 2.1 indicates it is a low-severity issue, albeit one that can impact confidentiality and integrity of inter-charm interactions.", "risk_and_exploitability": "The CVSS score of 2.1 combined with an EPSS of less than 1% suggests a low exploitation probability, and the flaw is not yet catalogued in the KEV registry. The attack likely requires local or privileged database write access to create the forged macaroons, limiting the attack surface. Nonetheless, in environments where charms interact across models, the risk of unauthorized privilege escalation remains a concern."}}}}, "created": "2026-01-29T09:09:14.720162+00:00", "title": "Cross-Model Authorization Bypass Allowing Unauthorized Charm Interaction", "updated": "2026-04-18T01:45:33.404865+00:00", "vendors": ["canonical", "canonical$PRODUCT$juju"]}