CVE-2026-1237 LOW

CVE-2026-1237

Vendor Canonical
Product juju
Weakness CWE-672
Published January 28, 2026
Last update January 28, 2026

CVSS base score

2.1/10
Attack vector Adjacent
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated