CVE-2026-32693 PUBLISHED

Unauthorized access to Kubernetes secrets in Juju

Assigner: canonical
Reserved: 13.03.2026 Published: 18.03.2026 Updated: 18.03.2026

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Canonical
Product	Juju
Versions	Default: unaffected affected from 3.0.0 to 3.6.19 (excl.)

Credits

Dima Tisnek finder

References

https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc

Problem Types

CWE-863 Incorrect Authorization CWE
CWE-778 Insufficient logging CWE
CWE-284 Improper Access Control CWE

Impacts

CAPEC-124: Shared Resource Manipulation