Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.
AnalysisAI
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.
Technical ContextAI
Juju is Canonical's application modeling and orchestration tool used for deploying and managing applications across cloud environments. The vulnerability resides in the Vault secrets back-end implementation, where unit agents (authenticated components that manage application units) interact with HashiCorp Vault for secrets management. The affected product is identified via CPE as cpe:2.3:a:canonical:juju spanning versions 3.1.6 through 3.6.18. The root cause is classified as CWE-285 (Improper Authorization), indicating that the system fails to properly verify whether a unit agent has the appropriate permissions to modify secret revisions, allowing privilege escalation within the secrets management layer. This is particularly concerning as Vault integration is typically used to centralize and secure sensitive credentials across distributed application deployments.
RemediationAI
Organizations should upgrade Juju to version 3.6.19 or later, or apply patches available from Canonical as detailed in the GitHub security advisory at https://github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm. Until patching is completed, organizations should implement additional access controls and monitoring around unit agent authentication, review and audit Vault secret access patterns for anomalous modification attempts, and consider temporarily isolating or restricting network access to Juju controllers managing sensitive Vault-backed secrets. Organizations not using the Vault secrets back-end are not affected by this specific vulnerability. After upgrading, review all secret revisions for potential poisoning and rotate any secrets that may have been exposed to untrusted unit agents during the vulnerable period.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12817
GHSA-89x7-5m5m-mcmm