CVE-2026-32693 — Improper Access Control in Juju

CWE-284 — Improper Access Control CWE-778 — Insufficient Logging CWE-863 — Incorrect Authorization6 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 81.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Juju Github.com Juju Juju

Timeline

PublishedMar 18

Latest updateMar 23

Description

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5canonical/juju3.0.0 — 3.6.19

▶NVDcanonical/juju3.0.0 — 3.6.19

▶Gogithub.com/juju_juju0.0.0-20221021155847-35c560704ee2 — 0.0.0-20260319091847-d06919eb03ec

🔴Vulnerability Details

OSV

Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju↗2026-03-23

▶

OSV

Juju has unauthorized access to out-of-scope Kubernetes secrets↗2026-03-19

▶

GHSA

Juju has unauthorized access to out-of-scope Kubernetes secrets↗2026-03-19

▶

CVEList

Unauthorized access to Kubernetes secrets in Juju↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32693 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶