CVE-2026-1237: Juju has broken CMR authorization

January 29, 2026

Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.

References

github.com/advisories/GHSA-j477-6vpg-6c8x
github.com/juju/juju
github.com/juju/juju/pull/21062
github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x
nvd.nist.gov/vuln/detail/CVE-2026-1237

Code Behaviors & Features

Detect and mitigate CVE-2026-1237 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →