CVE-2026-32692

HIGH

Unauthorized update of out-of-scope Vault secrets

Title source: cna

Description

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.

References (1)

[Vendor Advisory] https://github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm

Scores

CVSS v3 7.6

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (3)

Canonical/Juju 3.1.6 - 3.6.19

canonical/juju 3.1.6 - 3.6.19

juju/juju 0.0.0-20230919230135-f6a66aa91eec - 0.0.0-20260319091847-d06919eb03ecGo

Published Mar 18, 2026

Tracked Since Mar 18, 2026