CVE-2026-32693
Improper Authorization in Juju Secret-Set Allows Secret Modification
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | juju | From 3.0.0 (inc) to 3.6.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-778 | When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32693 is a high-severity vulnerability in the Juju Kubernetes secret management system affecting versions 3.0.0 through 3.6.18. The issue is caused by improper authorization checks in the secret-set tool and controller requests. This flaw allows an application that has been granted access to a secret to update the secret's content, which should normally be prohibited."}, {'type': 'paragraph', 'content': 'Specifically, when a secret is granted to an application, that application should only be able to read the secret and only those secrets explicitly granted to it. However, due to overly broad Kubernetes access policies and incorrect authorization, a grantee can patch the secret content without creating a new secret revision. This means the secret value can be modified or revealed without proper permissions.'}, {'type': 'paragraph', 'content': 'Even when the secret-set tool logs a permission denied error during an exploitation attempt, the secret is still updated and the new value is visible to both the owner and the grantee, which is contrary to expected behavior.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious security impacts. It allows unauthorized applications to modify or read secret data that they should not have access to. This can lead to exposure of sensitive information and unauthorized changes to secret values.
Because secrets are often used to store sensitive credentials, tokens, or configuration data, unauthorized modification or disclosure can compromise the confidentiality, integrity, and availability of systems relying on these secrets.
The flaw affects not only the owning application but also any third-party applications granted access and any other applications sharing the same Kubernetes secret backend, increasing the risk of widespread impact within the environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring the use of the "secret-set" tool in Juju environments, especially looking for cases where secret updates are logged as permission denied errors but still succeed. Since the vulnerability allows unauthorized applications to update secret content despite permission errors, auditing secret modification attempts and comparing them with authorization logs is critical.'}, {'type': 'paragraph', 'content': 'Specific commands to detect exploitation attempts are not provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Juju to version 3.6.19 or later, where this vulnerability has been patched.
Additionally, reviewing and tightening Kubernetes access policies related to secret grants can help reduce the risk of unauthorized secret modifications.