Publish GHSA-j477-6vpg-6c8x

advisory-database[bot] · advisory-database[bot] · commit 4bc683fb26e7 · 2026-01-29T15:23:13.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-j477-6vpg-6c8x/GHSA-j477-6vpg-6c8x.json b/advisories/github-reviewed/2026/01/GHSA-j477-6vpg-6c8x/GHSA-j477-6vpg-6c8x.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j477-6vpg-6c8x",
+  "modified": "2026-01-29T15:21:27Z",
+  "published": "2026-01-29T15:21:27Z",
+  "aliases": [
+    "CVE-2026-1237"
+  ],
+  "summary": "Juju has broken CMR authorization",
+  "details": "### Impact\n\nCross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.\n\n### Scenario\n\nA user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does not require authentication, the controller returns the new macaroon. The user can then use the returned macaroon to consume the offer as user X.\n\n### Patches\n\nN/A\n\n### Workarounds\n\nA previous proposal via [this PR](https://github.com/juju/juju/pull/21062) addresses the issue but would break model migrations since macaroon root keys are not included in model descriptions. Additionally, root keys are not model-scoped, making it unclear which keys to transfer during migration.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/juju/juju"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.0-20260127110037-9b1a0e53a4a4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1237"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/juju/juju/pull/21062"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/juju/juju"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-29T15:21:27Z",
+    "nvd_published_at": "2026-01-28T15:16:16Z"
+  }
+}
