Skip to main content

Juju EUVDEUVD-2026-12823

| CVE-2026-32694 MEDIUM
Predictable Value Range from Previous Values (CWE-343)
2026-03-18 canonical GHSA-5cj2-rqqf-hx9p
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 13:45 euvd
EUVD-2026-12823
Analysis Generated
Mar 18, 2026 - 13:45 vuln.today
CVE Published
Mar 18, 2026 - 12:55 nvd
MEDIUM 6.6

DescriptionCVE.org

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

AnalysisAI

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.

Technical ContextAI

Juju is Canonical's infrastructure automation and application orchestration platform (CPE: cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*), which manages secrets and permissions across distributed deployments. The vulnerability stems from CWE-343 (Predictable from External Input), where the secret ownership verification mechanism relies solely on a predictable XID (external identifier) rather than cryptographic or unpredictable tokens. When a secret owner grants permissions to a secret destined for one grantee, the system fails to use sufficient entropy or randomization to protect the secret's identity. This allows any grantee with request capabilities to deterministically predict the identifiers of other secrets granted by the same owner, effectively circumventing access controls. The root cause is inadequate secret identification and access control validation in the permission-granting workflow.

RemediationAI

Upgrade Juju to version 3.6.19 or later, which implements a non-predictable secret identification mechanism (see Canonical's official advisory at https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p for patch details). Until patching is possible, administrators should restrict the deployment of untrusted or adversary-controlled applications within Juju environments, enforce strong secret-granting policies to minimize the number of distinct grantees per secret owner, and audit secret permission logs regularly for unauthorized access attempts. Additionally, network segmentation can reduce the attack surface by limiting which applications have permission to request secrets.

More in Juju

View all
CVE-2017-9232 CRITICAL POC
9.8 May 28

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe

CVE-2025-0928 HIGH POC
8.8 Jul 08

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina

CVE-2025-53513 HIGH POC
8.8 Jul 08

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t

CVE-2024-7558 HIGH POC
8.0 Oct 02

JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack

CVE-2025-53512 MEDIUM POC
6.5 Jul 08

The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb

CVE-2026-4370 CRITICAL
10.0 Apr 01

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple

CVE-2026-5412 CRITICAL
9.9 Apr 10

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia

CVE-2026-32693 HIGH
8.8 Mar 18

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with

CVE-2024-6984 LOW POC
3.8 Jul 29

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged

CVE-2026-32692 HIGH
7.6 Mar 18

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat

CVE-2025-68153 HIGH
7.1 Apr 03

Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to

CVE-2025-68152 MEDIUM
6.9 Apr 03

Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r

Vendor StatusVendor

Debian

juju
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-12823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy