CVE-2026-32694 | THREATINT

Description

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

PUBLISHED Reserved 2026-03-13 | Published 2026-03-18 | Updated 2026-03-18 | Assigner canonical

MEDIUM: 6.6CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-343 Predictable value range from previous values

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status

unaffected

3.0.0 (semver) before 3.6.19

affected

Credits

Dima Tisnek finder

References

github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p vendor-advisory vdb-entry

cve.org (CVE-2026-32694)

nvd.nist.gov (CVE-2026-32694)

Download JSON