CVE-2026-32691
Race Condition in Juju Secrets Management Allows Unauthorized Secret Access
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | juju | From 3.0.0 (inc) to 3.6.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-708 | The product assigns an owner to a resource, but the owner is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability is a race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18. It occurs between the generation of a Juju Secret ID and the creation of the secret's first revision. During this window, an authenticated unit agent other than the legitimate owner can claim ownership of the newly initialized secret."}, {'type': 'paragraph', 'content': 'As a result, the attacker can read the content of the initial secret revision, compromising the confidentiality of the secret. The root cause is incorrect ownership assignment, where ownership is assigned to an entity outside the intended control.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with low privileges and network access to read sensitive secret data that they should not have access to. Since the attacker can claim ownership of a secret during its initialization, they can access confidential information, leading to a breach of confidentiality.
The attack does not affect the integrity or availability of the system, but the confidentiality impact is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Juju to version 3.6.19 or later, where the issue has been patched.
Since the vulnerability allows an authenticated unit agent to claim ownership of secrets due to a race condition, limiting network access and restricting authenticated unit agent privileges may reduce exposure until the patch is applied.