SUSE CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

Juju has broken CMR authorization

Impact Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon or if the macaroon has expired, an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these...

EUVD-2026-4900

Juju has broken CMR authorization...

GHSA-J477-6VPG-6C8X Juju has broken CMR authorization

Impact Cross-model Relation authorization is broken and has a potential security vulnerability. If the controller does not have the root key to verify the macaroon or if the macaroon has expired, an unvalidated and therefore untrusted macaroon is used to extract declared caveats. Facts from these...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the macaroon validation for cross-model authorization. An attacker can maintain unauthorized access to resources by crafting and submitting an invalid macaroon that is incorrectly...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or...

CVE-2026-1237

Summary: CVE-2026-1237 describes a vulnerability in Juju where broken cross-model authorization allows a charm to retain access after permissions are revoked or expired by minting an invalid macaroon that the controller erroneously accepts. The root cause is that the Juju controller may fail to v...

PT-2026-5129

Name of the Vulnerable Software and Affected Versions juju affected versions not specified Description A flaw exists in juju related to cross-model authorization. If permissions for a charm in a cross-model relation are revoked or expire, a malicious user capable of updating database records can...

SUSE CVE-2019-5885

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...

GHSA-JRQM-V8CV-53WW Matrix Synapse Predictable Secret Key

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...

Matrix Synapse Predictable Secret Key

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...

User Impersonation

matrix-synapse is vulnerable to user impersonation. If a configuration parameter called macaroonsecretkey is not set, the authentication secret key is derived using a predictable value and other secrets, allowing remote attackers to impersonate users...

DEBIAN-CVE-2019-5885

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...

PYSEC-2019-187

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...