Vulnerability Description
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Juju | >= 3.0.0, < 3.6.19 |
Related Weaknesses (CWE)
References
- https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9pExploitVendor Advisory
FAQ
What is CVE-2026-32694?
CVE-2026-32694 is a vulnerability with a CVSS score of 6.6 (MEDIUM). In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. ...
How severe is CVE-2026-32694?
CVE-2026-32694 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32694?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Juju.