{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32691", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-03-13T12:53:34.544Z", "datePublished": "2026-03-18T12:28:11.546Z", "dateUpdated": "2026-03-18T13:49:09.338Z"}, "containers": {"cna": {"title": "Timing ownership claim attack on new external back-end secrets", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-708", "description": "CWE-708 Incorrect ownership assignment", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "affected": [{"vendor": "Canonical", "product": "Juju", "platforms": ["Linux"], "collectionURL": "https://github.com/juju/", "packageName": "juju", "repo": "https://github.com/juju/juju", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.6.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww", "tags": ["vendor-advisory", "vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Harry Pidcock", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-18T12:28:11.546Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T13:46:45.894829Z", "id": "CVE-2026-32691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:49:09.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T13:46:45.894829Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:47:05.466Z"}}], "cna": {"title": "Timing ownership claim attack on new external back-end secrets", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Harry Pidcock"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical", "product": "Juju", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.6.19", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "juju", "collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww", "tags": ["vendor-advisory", "vdb-entry"]}], "descriptions": [{"lang": "en", "value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-708", "description": "CWE-708 Incorrect ownership assignment"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-18T12:28:11.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32691", "state": "PUBLISHED", "dateUpdated": "2026-03-18T13:49:09.338Z", "dateReserved": "2026-03-13T12:53:34.544Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-03-18T12:28:11.546Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BAFE599-DF11-429B-9A8C-970BDB3065C8", "versionEndExcluding": "3.6.19", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."}], "id": "CVE-2026-32691", "lastModified": "2026-03-19T15:34:39.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-03-18T13:16:18.163", "references": [{"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-708"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.6.19)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Juju", "source": "cna", "vendor": "Canonical"}, "product": "juju", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-03-19T16:14:53.680585+00:00", "value": {"mitigation_remediation": ["Upgrade to Juju 3.6.19 or later to eliminate the race condition.", "Verify that the current running Juju version is 3.6.19 or newer.", "If an upgrade cannot be performed immediately, restrict unit agent permissions to prevent unauthorized secret creation and monitor for suspicious secret claims."], "summary": {"action": "Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "Canonically Juju deployments running any version between 3.0.0 and 3.6.18 inclusive. The vulnerability is limited to authenticated unit agents within a Juju cluster.", "description_and_impact": "The vulnerability is a race condition in Juju's secrets subsystem present in versions 3.0.0 to 3.6.18. During the period between secret ID generation and creation of the first revision, an attacker with unit agent credentials can claim ownership of a known secret. After claiming ownership, the attacker can read the contents of that secret's first revision. This is a confidentiality breach classified under CWE\u2011708.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. EPSS is less than 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in KEV. The attack vector requires local authenticated access to a unit agent; an attacker who can execute code as a unit agent can exploit the race condition by timing the claim before the secret first revision is created."}}}}, "created": "2026-03-19T08:56:42.152086+00:00", "updated": "2026-03-24T10:58:49.943351+00:00", "vendors": ["canonical", "canonical$PRODUCT$juju"]}