Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
AnalysisAI
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.
Technical ContextAI
Juju is Canonical's infrastructure automation and application orchestration platform (CPE: cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*), which manages secrets and permissions across distributed deployments. The vulnerability stems from CWE-343 (Predictable from External Input), where the secret ownership verification mechanism relies solely on a predictable XID (external identifier) rather than cryptographic or unpredictable tokens. When a secret owner grants permissions to a secret destined for one grantee, the system fails to use sufficient entropy or randomization to protect the secret's identity. This allows any grantee with request capabilities to deterministically predict the identifiers of other secrets granted by the same owner, effectively circumventing access controls. The root cause is inadequate secret identification and access control validation in the permission-granting workflow.
RemediationAI
Upgrade Juju to version 3.6.19 or later, which implements a non-predictable secret identification mechanism (see Canonical's official advisory at https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p for patch details). Until patching is possible, administrators should restrict the deployment of untrusted or adversary-controlled applications within Juju environments, enforce strong secret-granting policies to minimize the number of distinct grantees per secret owner, and audit secret permission logs regularly for unauthorized access attempts. Additionally, network segmentation can reduce the attack surface by limiting which applications have permission to request secrets.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate pe
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent bina
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on t
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access deb
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows comple
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentia
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestrat
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to r
Same technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12823
GHSA-5cj2-rqqf-hx9p