Juju has broken CMR authorization

CVE-2026-1237 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.

Scenario

A user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does not require authentication, the controller returns the new macaroon. The user can then use the returned macaroon to consume the offer as user X.

Patches

N/A

Workarounds

A previous proposal via this PR addresses the issue but would break model migrations since macaroon root keys are not included in model descriptions. Additionally, root keys are not model-scoped, making it unclear which keys to transfer during migration.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-29 15:21:27 UTC
Updated
2026-01-29 15:21:28 UTC
GitHub reviewed
2026-01-29 15:21:27 UTC
NVD published
2026-01-28

EPSS Score

Score Percentile
0.01% 0.28%

CVSS Scores

Base score Version Severity Vector
2.1 4.0
CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Click to expand
Attack vector (AV:A)
Attacker has to be on an adjacent/local network segment.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:L)
Limited availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-j477-6vpg-6c8x ↗
CVE CVE-2026-1237 ↗

CWEs

CWE id Name
CWE-347 Improper Verification of Cryptographic Signature

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/juju/juju <= 0.0.0-20260127110037-9b1a0e53a4a4

References

cvelogic Threat Intelligence