CVE-2026-32694

CWE-343 CWE-639 — Insecure Direct Object Reference6 documents5 sources

Severity

6.6MEDIUM

EPSS

0.0%

top 88.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Juju Github.com Juju/juju

Timeline

PublishedMar 18

Latest updateMar 23

Description

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5canonical/juju3.0.0 — 3.6.19

▶NVDcanonical/juju3.0.0 — 3.6.19

▶Gogithub.com/juju/juju0.0.0-20221021155847-35c560704ee2 — 0.0.0-20260319091847-d06919eb03ec

🔴Vulnerability Details

OSV

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju↗2026-03-23

▶

GHSA

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets↗2026-03-19

▶

OSV

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets↗2026-03-19

▶

CVEList

Insecure Direct Object Reference attack via predictable secret ID in Juju↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32694 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶