CVE-2026-32693
published 2026-03-18CVE-2026-32693: In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret…
PriorityP350high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.9th percentile
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | >= 3.0.0 < 3.6.19 | 3.6.19 |
| github.com | juju_juju | >= 0.0.0-20221021155847-35c560704ee2 < 0.0.0-20260319091847-d06919eb03ec | 0.0.0-20260319091847-d06919eb03ec |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju
osv·2026-03-23
CVE-2026-32693 Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju
Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju
Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju
OSV
Juju has unauthorized access to out-of-scope Kubernetes secrets
osv·2026-03-19
CVE-2026-32693 [HIGH] Juju has unauthorized access to out-of-scope Kubernetes secrets
Juju has unauthorized access to out-of-scope Kubernetes secrets
### Summary
Grantee is able to update secret content using the `secret-set` tool due to broad Kubernetes access policy.
Implications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value.
### Details
When a Juju secret is "granted" to an app, that app should be able to read the secret content but not modify it, and should be able to only read secrets that have been granted to it.
Authorization of the `secret-set` hook tool / controller request is not performed correctly, which allows the grantee to update the secret content and to read or affect other secrets.
### PoC
Tested:
- two applicatio
GHSA
Juju has unauthorized access to out-of-scope Kubernetes secrets
ghsa·2026-03-19
CVE-2026-32693 [HIGH] CWE-284 Juju has unauthorized access to out-of-scope Kubernetes secrets
Juju has unauthorized access to out-of-scope Kubernetes secrets
### Summary
Grantee is able to update secret content using the `secret-set` tool due to broad Kubernetes access policy.
Implications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value.
### Details
When a Juju secret is "granted" to an app, that app should be able to read the secret content but not modify it, and should be able to only read secrets that have been granted to it.
Authorization of the `secret-set` hook tool / controller request is not performed correctly, which allows the grantee to update the secret content and to read or affect other secrets.
### PoC
Tested:
- two applicatio
No detection rules found.
No public exploits indexed.
2026-03-18
Published