{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32693", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-03-13T12:53:34.544Z", "datePublished": "2026-03-18T12:47:02.982Z", "dateUpdated": "2026-03-18T13:19:58.719Z"}, "containers": {"cna": {"title": "Unauthorized access to Kubernetes secrets in Juju", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-778", "description": "CWE-778 Insufficient logging", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-124", "descriptions": [{"lang": "en", "value": "CAPEC-124: Shared Resource Manipulation"}]}], "affected": [{"vendor": "Canonical", "product": "Juju", "platforms": ["Linux"], "collectionURL": "https://github.com/juju/", "packageName": "juju", "repo": "https://github.com/juju/juju", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.6.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc", "tags": ["vendor-advisory", "vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Dima Tisnek", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-18T12:47:02.982Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T13:16:08.879696Z", "id": "CVE-2026-32693", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:19:58.719Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32693", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T13:16:08.879696Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:18:07.248Z"}}], "cna": {"title": "Unauthorized access to Kubernetes secrets in Juju", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Dima Tisnek"}], "impacts": [{"capecId": "CAPEC-124", "descriptions": [{"lang": "en", "value": "CAPEC-124: Shared Resource Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical", "product": "Juju", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.6.19", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "juju", "collectionURL": "https://github.com/juju/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc", "tags": ["vendor-advisory", "vdb-entry"]}], "descriptions": [{"lang": "en", "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-778", "description": "CWE-778 Insufficient logging"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-18T12:47:02.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32693", "state": "PUBLISHED", "dateUpdated": "2026-03-18T13:19:58.719Z", "dateReserved": "2026-03-13T12:53:34.544Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-03-18T12:47:02.982Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BAFE599-DF11-429B-9A8C-970BDB3065C8", "versionEndExcluding": "3.6.19", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."}], "id": "CVE-2026-32693", "lastModified": "2026-03-19T15:17:00.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-03-18T13:16:18.860", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-778"}, {"lang": "en", "value": "CWE-863"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.6.19)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Juju", "source": "cna", "vendor": "Canonical"}, "product": "juju", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-03-19T16:52:31.155567+00:00", "value": {"mitigation_remediation": ["Apply the latest Juju release that includes the fix (any version newer than 3.6.18).", "Confirm the upgraded package is the patched version.", "If immediate upgrade is not possible, limit the use of the secret\u2011set tool to trusted users and review role\u2011based access controls to reduce risk.", "Monitor secret\u2011management logs for anomalous changes and investigate promptly."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to Kubernetes secrets"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of Canonical Juju on Kubernetes clusters, specifically any Juju release between 3.0.0 and 3.6.18 inclusive. Users should verify their deployment version and plan to upgrade.", "description_and_impact": "The vulnerability in Juju versions 3.0.0 through 3.6.18 allows a user with permission to run the secret\u2011set tool to update any secret and to read or update other users\u2019 secrets. When the tool logs an error, the secret is still updated and the new value is visible to both the original owner and the attacker, exposing confidential information and violating integrity. The flaw is a misimplementation of the authorization check identified as CWE\u2013284, CWE\u2013778, and CWE\u2013863.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the EPSS score of below 1% suggests low current exploitation likelihood. The vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated user or service account that has been granted secret\u2011set privileges; the mis\u2011authorization allows that actor to affect secrets beyond their intended scope."}}}}, "created": "2026-03-19T08:56:40.431328+00:00", "updated": "2026-03-24T10:58:48.163759+00:00", "vendors": ["canonical", "canonical$PRODUCT$juju"]}