CVE-2026-32693
Received Received - Intake
Improper Authorization in Juju Secret-Set Allows Secret Modification

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: Canonical Ltd.

Description
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32693
EUVD
EUVD-2026-12819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canonical juju From 3.0.0 (inc) to 3.6.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32693 is a high-severity vulnerability in the Juju Kubernetes secret management system affecting versions 3.0.0 through 3.6.18. The issue is caused by improper authorization checks in the secret-set tool and controller requests. This flaw allows an application that has been granted access to a secret to update the secret's content, which should normally be prohibited."}, {'type': 'paragraph', 'content': 'Specifically, when a secret is granted to an application, that application should only be able to read the secret and only those secrets explicitly granted to it. However, due to overly broad Kubernetes access policies and incorrect authorization, a grantee can patch the secret content without creating a new secret revision. This means the secret value can be modified or revealed without proper permissions.'}, {'type': 'paragraph', 'content': 'Even when the secret-set tool logs a permission denied error during an exploitation attempt, the secret is still updated and the new value is visible to both the owner and the grantee, which is contrary to expected behavior.'}] [1]

Impact Analysis

This vulnerability can have serious security impacts. It allows unauthorized applications to modify or read secret data that they should not have access to. This can lead to exposure of sensitive information and unauthorized changes to secret values.

Because secrets are often used to store sensitive credentials, tokens, or configuration data, unauthorized modification or disclosure can compromise the confidentiality, integrity, and availability of systems relying on these secrets.

The flaw affects not only the owning application but also any third-party applications granted access and any other applications sharing the same Kubernetes secret backend, increasing the risk of widespread impact within the environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring the use of the "secret-set" tool in Juju environments, especially looking for cases where secret updates are logged as permission denied errors but still succeed. Since the vulnerability allows unauthorized applications to update secret content despite permission errors, auditing secret modification attempts and comparing them with authorization logs is critical.'}, {'type': 'paragraph', 'content': 'Specific commands to detect exploitation attempts are not provided in the available resources.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Juju to version 3.6.19 or later, where this vulnerability has been patched.

Additionally, reviewing and tightening Kubernetes access policies related to secret grants can help reduce the risk of unauthorized secret modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart