Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
AnalysisAI
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
Technical ContextAI
Juju is an orchestration and modeling platform developed by Canonical for managing cloud applications and infrastructure. The vulnerability exists in the secrets management subsystem, which handles creation, storage, and access control for sensitive data within Juju models. The root cause is classified as CWE-708 (Incorrect Ownership Assignment), which describes a flaw where security-critical attributes (in this case, secret ownership) are assigned to the wrong entity due to improper synchronization. The race condition occurs between two discrete operations: (1) generation of a unique Juju Secret ID, and (2) creation of the secret's first revision with proper ownership metadata. A unit agent authenticated to the Juju controller can observe or predict a newly created secret ID and insert an ownership claim before the legitimate owner finalizes the secret's initialization, causing the system to incorrectly attribute ownership to the attacking unit. The affected product is identified via CPE cpe:2.0:a:canonical:juju:*:*:*:*:*:*:*:* for all versions in the 3.0.0 to 3.6.18 range.
RemediationAI
Upgrade Juju to version 3.6.19 or later to resolve this vulnerability. Canonical has released patched versions that implement proper synchronization and ownership validation in the secrets initialization workflow. Until patching is feasible, restrict access to the Juju controller API to trusted unit agents only by implementing network-level access controls and reviewing unit agent credentials and roles within the model. Additionally, audit existing secrets within affected models to identify any unauthorized ownership claims or access patterns, and consider rotating secrets that may have been exposed. For detailed patch information and release notes, consult the official advisory at https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww and update via Canonical's official Juju channels.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r
Same weakness CWE-708 – Incorrect Ownership Assignment
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12815
GHSA-gfgr-6hrj-85ww