Low severityNVD Advisory· Published Jan 28, 2026· Updated Apr 15, 2026

CVE-2026-1237

Description

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/juju/jujuGo	<= 0.0.0-20260127110037-9b1a0e53a4a4	—

Affected products

Juju/Jujuinferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-j477-6vpg-6c8xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-1237ghsaADVISORY
github.com/juju/juju/pull/21062ghsaWEB
github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8xnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000