CVE-2026-32691
Received Received - Intake
Race Condition in Juju Secrets Management Allows Unauthorized Secret Access

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: Canonical Ltd.

Description
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32691
EUVD
EUVD-2026-12815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canonical juju From 3.0.0 (inc) to 3.6.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-708 The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability is a race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18. It occurs between the generation of a Juju Secret ID and the creation of the secret's first revision. During this window, an authenticated unit agent other than the legitimate owner can claim ownership of the newly initialized secret."}, {'type': 'paragraph', 'content': 'As a result, the attacker can read the content of the initial secret revision, compromising the confidentiality of the secret. The root cause is incorrect ownership assignment, where ownership is assigned to an entity outside the intended control.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges and network access to read sensitive secret data that they should not have access to. Since the attacker can claim ownership of a secret during its initialization, they can access confidential information, leading to a breach of confidentiality.

The attack does not affect the integrity or availability of the system, but the confidentiality impact is high.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Juju to version 3.6.19 or later, where the issue has been patched.

Since the vulnerability allows an authenticated unit agent to claim ownership of secrets due to a race condition, limiting network access and restricting authenticated unit agent privileges may reduce exposure until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart