Skip to main content

Juju CVE-2026-32691

| EUVDEUVD-2026-12815 MEDIUM
Incorrect Ownership Assignment (CWE-708)
2026-03-18 canonical GHSA-gfgr-6hrj-85ww
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 12:45 euvd
EUVD-2026-12815
Analysis Generated
Mar 18, 2026 - 12:45 vuln.today
CVE Published
Mar 18, 2026 - 12:28 nvd
MEDIUM 5.3

DescriptionCVE.org

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.

AnalysisAI

Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.

Technical ContextAI

Juju is an orchestration and modeling platform developed by Canonical for managing cloud applications and infrastructure. The vulnerability exists in the secrets management subsystem, which handles creation, storage, and access control for sensitive data within Juju models. The root cause is classified as CWE-708 (Incorrect Ownership Assignment), which describes a flaw where security-critical attributes (in this case, secret ownership) are assigned to the wrong entity due to improper synchronization. The race condition occurs between two discrete operations: (1) generation of a unique Juju Secret ID, and (2) creation of the secret's first revision with proper ownership metadata. A unit agent authenticated to the Juju controller can observe or predict a newly created secret ID and insert an ownership claim before the legitimate owner finalizes the secret's initialization, causing the system to incorrectly attribute ownership to the attacking unit. The affected product is identified via CPE cpe:2.0:a:canonical:juju:*:*:*:*:*:*:*:* for all versions in the 3.0.0 to 3.6.18 range.

RemediationAI

Upgrade Juju to version 3.6.19 or later to resolve this vulnerability. Canonical has released patched versions that implement proper synchronization and ownership validation in the secrets initialization workflow. Until patching is feasible, restrict access to the Juju controller API to trusted unit agents only by implementing network-level access controls and reviewing unit agent credentials and roles within the model. Additionally, audit existing secrets within affected models to identify any unauthorized ownership claims or access patterns, and consider rotating secrets that may have been exposed. For detailed patch information and release notes, consult the official advisory at https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww and update via Canonical's official Juju channels.

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-5412 CRITICAL
9.9 Apr 10

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia

CVE-2026-32693 HIGH
8.8 Mar 18

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68153 HIGH
7.1 Apr 03

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to

CVE-2025-68152 MEDIUM
6.9 Apr 03

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r

Vendor StatusVendor

Debian

juju
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy