CVE-2026-1237 Overview
CVE-2026-1237 is an authorization bypass vulnerability in Juju that affects cross-model permissions validation. When a charm's cross-model permissions are revoked or expire, a malicious user with database record modification capabilities can mint an invalid macaroon that is incorrectly validated by the juju controller. This enables a charm to maintain otherwise revoked or expired permissions, allowing unauthorized continuation of cross-model relations.
Critical Impact
A malicious actor can bypass permission revocation to maintain unauthorized access to cross-model relations, allowing charms to use workloads from other charms without proper authorization.
Affected Products
- Juju (all versions - no fix available as of publication)
Discovery Timeline
- 2026-01-28 - CVE-2026-1237 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-1237
Vulnerability Analysis
This vulnerability stems from improper verification of cryptographic signatures (CWE-347) in Juju's macaroon-based authorization system. Macaroons are a type of bearer credential used for decentralized authorization, and Juju relies on them to manage cross-model permissions between charms.
The core issue lies in how the Juju controller validates macaroons when cross-model permissions are checked. When permissions are revoked or expire, the controller should reject any macaroons associated with those permissions. However, due to improper cryptographic signature verification, an attacker who can modify database records can craft macaroons that pass validation despite representing revoked or expired permissions.
The attack requires adjacent network access and the ability to manipulate database records, which provides some limitation on the attack surface. However, once these prerequisites are met, the attacker can maintain persistent unauthorized access to cross-model relations.
Root Cause
The vulnerability is caused by improper verification of cryptographic signatures (CWE-347) in the Juju controller's macaroon validation logic. The controller fails to properly verify that macaroons representing cross-model permissions have not been tampered with or minted without proper authorization. This allows an attacker with database write access to create macaroons that bypass permission revocation checks.
Attack Vector
The attack vector requires adjacent network access with low privileges required. An attacker must first gain the ability to modify database records within the Juju environment. Once this access is obtained, the attacker can:
- Identify a charm relationship where cross-model permissions have been revoked or are set to expire
- Craft a malicious macaroon that appears valid to the Juju controller
- Present this macaroon during authorization checks to maintain the revoked cross-model relation
- Continue accessing workloads from the target charm without proper authorization
The attack complexity is high due to the prerequisite of database modification capabilities, and the vulnerability requires an active cross-model relation context. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-1237
Indicators of Compromise
- Unexpected or unauthorized cross-model relations persisting after permission revocation
- Anomalous database modifications targeting macaroon or authorization-related tables
- Charms maintaining access to workloads after their cross-model permissions should have expired
- Unusual authentication patterns in Juju controller logs
Detection Strategies
- Monitor Juju controller logs for authorization events involving cross-model relations
- Implement database audit logging to detect unauthorized modifications to authorization records
- Regularly audit active cross-model relations against expected permission states
- Deploy SentinelOne Singularity to detect anomalous database access patterns and unauthorized modifications
Monitoring Recommendations
- Enable verbose logging on Juju controllers to capture detailed authorization decisions
- Set up alerts for cross-model relation activities that occur after permission revocation events
- Implement periodic reconciliation checks between expected and actual cross-model permissions
- Monitor for signs of database tampering in Juju's backend storage
How to Mitigate CVE-2026-1237
Immediate Actions Required
- Review and audit all active cross-model relations for unauthorized access
- Restrict database write access to only essential, trusted administrators
- Implement additional access controls around database records containing authorization data
- Consider temporarily disabling cross-model relations in high-security environments until a patch is available
Patch Information
No fix is available as of the time of writing (2026-01-29). Organizations should monitor the GitHub Security Advisory for updates on patch availability.
Workarounds
- Implement strict access controls to prevent unauthorized database modifications
- Deploy network segmentation to limit adjacent network access to Juju infrastructure
- Regularly rotate and audit cross-model permissions to detect unauthorized persistence
- Use external monitoring tools to verify cross-model relation states match expected configurations
# Configuration example - Restrict database access permissions
# Ensure only authorized users can modify Juju's backend database
# Example for PostgreSQL backend:
REVOKE ALL ON juju_authorization FROM PUBLIC;
GRANT SELECT ON juju_authorization TO juju_read_only;
GRANT SELECT, INSERT, UPDATE, DELETE ON juju_authorization TO juju_admin;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
