CVE-2026-32691 PUBLISHED

Timing ownership claim attack on new external back-end secrets

Assigner: canonical
Reserved: 13.03.2026 Published: 18.03.2026 Updated: 18.03.2026

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Canonical
Product	Juju
Versions	Default: unaffected affected from 3.0.0 to 3.6.19 (excl.)

Credits

Harry Pidcock finder

References

https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww

Problem Types

CWE-708 Incorrect ownership assignment CWE

Impacts

CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions