CVE-2026-1237

CVE-2026-1237 is a low-severity security vulnerability in github.com/juju/juju (go), affecting versions <= 0.0.0-20260127110037-9b1a0e53a4a4. No fixed version is listed yet.

Summary

Scenario

A user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does not require authentication, the controller returns the new macaroon. The user can then use the returned macaroon to consume the offer as user X.

N/A

Workarounds

A previous proposal via this PR addresses the issue but would break model migrations since macaroon root keys are not included in model descriptions. Additionally, root keys are not model-scoped, making it unclear which keys to transfer during migration.

Impact

Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.

Affected versions

github.com/juju/juju (<= 0.0.0-20260127110037-9b1a0e53a4a4)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for CVE-2026-1237 yet.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-1237? CVE-2026-1237 is a low-severity security vulnerability in github.com/juju/juju (go), affecting versions <= 0.0.0-20260127110037-9b1a0e53a4a4. No fixed version is listed yet.
  2. Which versions of github.com/juju/juju are affected by CVE-2026-1237? github.com/juju/juju (go) versions <= 0.0.0-20260127110037-9b1a0e53a4a4 is affected.
  3. Is there a fix for CVE-2026-1237? No fixed version is listed for CVE-2026-1237 yet. Monitor the advisory for updates and apply mitigations in the interim.
  4. Is CVE-2026-1237 exploitable, and should I be worried? Whether CVE-2026-1237 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-1237 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

Other vulnerabilities in github.com/juju/juju

Stop the waste.
Protect your environment with Kodem.