Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-1237

created 2 months, 2 weeks ago

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions …

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.

References

https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x

Affected products

juju

==0

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable 3.6.8
- nixpkgs-unstable 3.6.8
- nixos-unstable-small 3.6.8
nixos-25.11 3.6.11
- nixpkgs-25.11-darwin 3.6.11

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable 0.32.0
- nixpkgs-unstable 0.32.0
- nixos-unstable-small 0.32.0
nixos-25.11 0.35.0
- nixpkgs-25.11-darwin 0.35.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-25.11 0.2
- nixpkgs-25.11-darwin 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>
@bbigras Bruno Bigras <bigras.bruno@gmail.com>
@0x4A6F Joachim Ernst <mail-maintainer@0x4A6F.dev>
@emilazy Emily <nixpkgs@emily.moe>
@thoughtpolice Austin Seipp <aseipp@pobox.com>