Cross-Model Authorization Flaw in Juju Affects User Permissions
CVE-2026-1237

2.1LOW

Key Information:

Vendor: Canonical
Status: Juju
Vendor: CVE Published:; 28 January 2026

What is CVE-2026-1237?

A vulnerability in Juju capabilities allows a malicious user to exploit revoked or expired cross-model permissions. When a charm's permissions are no longer valid, an attacker can manipulate the database to create an invalid macaroon that the Juju controller mistakenly validates. This exploitation allows the charm to retain unauthorized relations with other charms in a cross-model setup, effectively bypassing established security controls and utilizing resources without consent. As of now, no fix has been released to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

juju 0

References

https://github.com/juju/juju/security/advisories/GHSA-j47...

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 28, 2026
Vulnerability Reserved
Jan 20, 2026

JSON

Canonical