CVE-2026-32691
published 2026-03-18CVE-2026-32691: A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly…
PriorityP431medium5.3CVSS 3.1
AVNACHPRLUINSUCHINAN
EPSS
0.23%
14.0th percentile
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | >= 3.0.0 < 3.6.19 | 3.6.19 |
| github.com | juju_juju | >= 3.0.0 < 3.6.19 | 3.6.19 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju
osv·2026-03-23
CVE-2026-32691 Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju
Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju
Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/juju/juju from v3.0.0 before v3.6.19.
GHSA
Juju affected by timing ownership claim attack on new external back-end secrets
ghsa·2026-03-19
CVE-2026-32691 [MEDIUM] CWE-708 Juju affected by timing ownership claim attack on new external back-end secrets
Juju affected by timing ownership claim attack on new external back-end secrets
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
### Impact
Between generating a Secret ID and creating the secret's first revision, an
attacker authenticated as another unit agent can claim ownership of a known
secret. This leads to the attacking unit being able to read the content of the
initial secret revision.
### Patches
3
OSV
Juju affected by timing ownership claim attack on new external back-end secrets
osv·2026-03-19
CVE-2026-32691 [MEDIUM] Juju affected by timing ownership claim attack on new external back-end secrets
Juju affected by timing ownership claim attack on new external back-end secrets
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
### Impact
Between generating a Secret ID and creating the secret's first revision, an
attacker authenticated as another unit agent can claim ownership of a known
secret. This leads to the attacking unit being able to read the content of the
initial secret revision.
### Patches
3
No detection rules found.
No public exploits indexed.
2026-03-18
Published