GHSA-j477-6vpg-6c8x

Suggest an improvement
Source
https://github.com/advisories/GHSA-j477-6vpg-6c8x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-j477-6vpg-6c8x/GHSA-j477-6vpg-6c8x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j477-6vpg-6c8x
Published
2026-01-29T15:21:27Z
Modified
2026-01-29T15:33:41.089586Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVSS Calculator
Summary
Juju has broken CMR authorization
Details

Impact

Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon (or if the macaroon has expired), an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these caveats are then blindly used to mint a new macaroon that becomes valid.

Scenario

A user knows that user X has access to offer Y. The user mints a macaroon stating that user X has access to offer Y and sends it to the controller in a request. The controller fails to verify the macaroon because it lacks the root key and mints a new macaroon requiring proof that user X has access to offer Y. Since user X does have access and the discharge endpoint does not require authentication, the controller returns the new macaroon. The user can then use the returned macaroon to consume the offer as user X.

Patches

N/A

Workarounds

A previous proposal via this PR addresses the issue but would break model migrations since macaroon root keys are not included in model descriptions. Additionally, root keys are not model-scoped, making it unclear which keys to transfer during migration.

Database specific 
{
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "LOW",
    "nvd_published_at": "2026-01-28T15:16:16Z",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T15:21:27Z"
}
References

Affected packages

Go / github.com/juju/juju

Package

Name
github.com/juju/juju
View open source insights on deps.dev
Purl
pkg:golang/github.com/juju/juju

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.0.0-20260127110037-9b1a0e53a4a4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-j477-6vpg-6c8x/GHSA-j477-6vpg-6c8x.json"