CVE-2026-32693

High CVSS: 8.8

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

Vendor

Canonical

Product

Juju

CWE

CWE-284

Yayın Tarihi

2026-03-18 13:16:18

Güncelleme

2026-03-19 15:17:00

Source Identifier

security@ubuntu.com

KEV Date Added

Kategoriler

CWE-284 Juju HIGH Canonical 2026

Referanslar

https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc

Benzer Kayıtlar

Critical

CVE-2026-4370

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the inter…

Medium

CVE-2026-32694

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret o…

Medium

CVE-2026-32691

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit…

High

CVE-2026-32692

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18…

Low

CVE-2026-3351

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated,…

Low

CVE-2025-5467

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files…