DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1237: The Macaroon Mirage: Bypassing Juju's Cross-Model Authorization

#security #cve #cybersecurity

The Macaroon Mirage: Bypassing Juju's Cross-Model Authorization

Vulnerability ID: CVE-2026-1237
CVSS Score: 2.1
Published: 2026-01-29

A logic flaw in Canonical Juju's macaroon validation mechanism allows attackers to bypass cross-model authorization. By presenting a forged macaroon signed with an unknown key, an attacker can trick the controller into entering a discharge workflow that inadvertently validates the forged permissions. This vulnerability turns a cryptographic failure into a trusted credential exchange.

TL;DR

Juju controllers failed to reject macaroons signed with unknown keys. Instead of blocking them, the system asked for 'discharges' (3rd party verification), effectively helping attackers validate their own forged tokens. Fix requires patching to explicitly handle 'key not found' errors.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-672 (Resource After Expiration/Revocation)
  • Attack Vector: Adjacent Network (AV:A)
  • CVSS v4.0: 2.1 (Low)
  • Privileges Required: Low (PR:L)
  • User Interaction: None (UI:N)
  • Exploit Status: PoC / Theoretical

Affected Systems

  • Canonical Juju Controller (Pre-2026)
  • Juju Cross-Model Relations (CMR)
  • Deployments using Macaroon-based authorization
  • Juju: < 3.6 (approx, reliant on PR date) (Fixed in: See Vendor Advisory)

Code Analysis

Commit: Merge o

apiserver/common/crossmodel: check for root key error in macaroon validation

if strings.Contains(errors.Details(err), rootKeyErrorMessage) { return nil, apiservererrors.ErrPerm }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Exploit requires minting macaroon with custom bakery and interacting with CMR API.

Mitigation Strategies

  • Upgrade Juju Controller software immediately.
  • Implement strict string checking for 'macaroon not found' errors in custom bakery implementations.
  • Audit Cross-Model Relations (CMR) for unexpected connections.

Remediation Steps:

  1. Identify the Juju controller version: juju show-controller.
  2. Bootstrap a new controller on the patched version or run juju upgrade-controller.
  3. Verify the patch by monitoring logs for 'rejecting forged macaroon' messages.

References

Read the full report for CVE-2026-1237 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)