CVE-2026-32691 MEDIUM

CVE-2026-32691: Timing ownership claim attack on new external back-end secrets

Vendor Canonical
Product Juju
Weakness CWE-708
Published March 18, 2026
Last update March 18, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.

Key dates

02Disclosure timeline

March 18, 2026 CVE published
March 18, 2026 Record updated