Skip to main content
CVE Vulnerability Database

CVE-2026-1237: Juju Auth Bypass Vulnerability

CVE-2026-1237 is an authentication bypass vulnerability in Juju that allows malicious users to maintain revoked cross-model permissions. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-1237 Overview

CVE-2026-1237 is an authorization vulnerability in juju, an open-source application modeling and orchestration tool. The flaw affects cross-model relations, where charms in one model interact with charms in another. A malicious user with the ability to update database records can forge an invalid macaroon. The juju controller incorrectly validates this macaroon, allowing a charm to retain cross-model permissions after they have been revoked or expired. The result is unauthorized access to workloads in a related model. No fix is available as of the time of writing.

Critical Impact

An attacker with database write access can mint forged macaroons that bypass cross-model authorization checks, allowing charms to continue using another charm's workload after permissions are revoked.

Affected Products

  • juju controller (cross-model relation feature)
  • Charms participating in cross-model relations
  • Deployments where database records can be modified by a malicious user

Discovery Timeline

  • 2026-01-28 - CVE-2026-1237 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-1237

Vulnerability Analysis

The vulnerability is categorized under [CWE-347] Improper Verification of Cryptographic Signature. juju uses macaroons, which are bearer tokens with embedded caveats, to authorize cross-model relations between charms. When a charm's cross-model permissions are revoked or expire, the controller is expected to reject any macaroon presented for that relation.

The vulnerability stems from incorrect validation logic in the juju controller. A user who can write to the underlying database can construct an invalid macaroon. The controller accepts this forged macaroon as authentic and grants the associated charm continued access to the related workload. This breaks the trust boundary that cross-model relations are designed to enforce.

The attack requires adjacent network access and elevated privileges to modify database records. The scope is limited to the cross-model relationship in which the attacker already participates.

Root Cause

The root cause is improper signature verification of macaroons used for cross-model authorization. The controller does not correctly validate the cryptographic integrity or revocation state of macaroons retrieved from database records. An attacker controlling those records can supply a crafted macaroon that satisfies the flawed validation path.

Attack Vector

An attacker with the ability to update juju's database records targets the macaroon storage used for cross-model relations. The attacker mints a macaroon referencing a revoked or expired permission grant. When the controller next validates an incoming cross-model request, it accepts the forged macaroon. The associated charm continues to relate to the cross-model peer and consume its workload without authorization.

No verified proof-of-concept code is publicly available. See the GitHub Security Advisory GHSA-j477-6vpg-6c8x for vendor-provided technical context.

Detection Methods for CVE-2026-1237

Indicators of Compromise

  • Cross-model relations that remain active after the associated permission grant has been revoked or expired in the controller state
  • Unexpected writes to macaroon-related tables or collections in the juju controller database
  • Charms continuing to issue requests against a related workload after the offer has been removed

Detection Strategies

  • Audit the juju controller database for direct modifications to macaroon records that did not originate from the controller process
  • Correlate cross-model relation activity with the timeline of permission revocations to identify access that should have been terminated
  • Inspect controller logs for macaroon validation events tied to revoked or expired offers

Monitoring Recommendations

  • Enable verbose audit logging on the juju controller for cross-model relation events and offer permission changes
  • Monitor administrative and service accounts with write access to the controller database
  • Alert on cross-model traffic patterns that persist after an offer has been revoked

How to Mitigate CVE-2026-1237

Immediate Actions Required

  • Restrict and audit access to the juju controller database; treat database write capability as equivalent to controller administrative access
  • Review existing cross-model offers and remove any that are not strictly required
  • Rotate macaroon signing material and invalidate outstanding cross-model relations where feasible
  • Track the GitHub Security Advisory GHSA-j477-6vpg-6c8x for fix availability

Patch Information

No fix is available as of the time of writing. Refer to the juju security advisory GHSA-j477-6vpg-6c8x for vendor updates and remediation guidance once published.

Workarounds

  • Limit the set of users and services that can authenticate to or modify the juju controller database
  • Avoid granting cross-model offers to untrusted charms or operators
  • Remove cross-model offers immediately when they are no longer required rather than relying solely on expiration
  • Place the controller and its database on a segmented network reachable only by trusted administrative hosts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.