CVE-2026-32693

HIGH

Unauthorized access to Kubernetes secrets in Juju

Title source: cna

Description

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

References (1)

[Vendor Advisory] https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc

Scores

CVSS v3 8.8

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284 CWE-778 CWE-863

Status published

Products (3)

Canonical/Juju 3.0.0 - 3.6.19

canonical/juju 3.0.0 - 3.6.19

juju/juju 0.0.0-20221021155847-35c560704ee2 - 0.0.0-20260319091847-d06919eb03ecGo

Published Mar 18, 2026

Tracked Since Mar 18, 2026