Skip to main content

Juju CVE-2026-32693

| EUVDEUVD-2026-12819 HIGH
Incorrect Authorization (CWE-863)
2026-03-18 canonical GHSA-439w-v2p7-pggc
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 13:15 euvd
EUVD-2026-12819
Analysis Generated
Mar 18, 2026 - 13:15 vuln.today
CVE Published
Mar 18, 2026 - 12:47 nvd
HIGH 8.8

DescriptionCVE.org

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

AnalysisAI

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.

Technical ContextAI

Juju is Canonical's open-source application modeling and deployment tool used for orchestrating cloud services and applications. The affected component is the 'secret-set' tool within Juju (cpe:2.3:a:canonical:juju), which manages secrets used in application deployments. The vulnerability stems from CWE-863 (Incorrect Authorization), where the authorization checks fail to properly validate whether a grantee has the authority to modify specific secrets. This allows privilege escalation within the secrets management system, where users can manipulate secrets outside their granted scope. The flaw affects the core secret management functionality, a critical component for secure credential and configuration management in multi-tenant cloud environments.

RemediationAI

Organizations should upgrade Canonical Juju to version 3.6.19 or later as soon as possible, following guidance in the official security advisory at https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc. Until patching can be completed, implement strict network segmentation to limit access to Juju controllers, enforce principle of least privilege by auditing and restricting secret grantee permissions, and implement enhanced monitoring for secret modification activities to detect unauthorized access attempts. Review all existing secret grants and revoke unnecessary permissions, and consider rotating secrets that may have been exposed during the vulnerable period.

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-5412 CRITICAL
9.9 Apr 10

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68153 HIGH
7.1 Apr 03

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to

CVE-2025-68152 MEDIUM
6.9 Apr 03

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r

CVE-2026-32694 MEDIUM
6.6 Mar 18

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to

Vendor StatusVendor

Debian

juju
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy