CVE-2026-32694

Insecure Direct Object Reference attack via predictable secret ID in Juju

Assigner: canonical
Reserved: 13.03.2026 Published: 18.03.2026 Updated: 18.03.2026

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Canonical
Product	Juju
Versions	Default: unaffected affected from 3.0.0 to 3.6.19 (excl.)

Vendor

Canonical

Product

Juju

Versions

Default: unaffected

affected from 3.0.0 to 3.6.19 (excl.)

Credits

Dima Tisnek finder

References

Problem Types

CWE-343 Predictable value range from previous values CWE
CWE-639 Authorization bypass through User-Controlled key CWE

Impacts

CAPEC-59: Session Credential Falsification through Prediction