CVE-2026-32693 HIGH

CVE-2026-32693: Unauthorized access to Kubernetes secrets in Juju

Vendor Canonical

Product Juju

Weakness CWE-863 · Incorrect authorization

Published March 18, 2026

Last update March 18, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

Key dates

02Disclosure timeline

March 18, 2026 CVE published

March 18, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32693 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-32693: Unauthorized access to Kubernetes secrets in Juju

01Description

02Disclosure timeline

03References

04Related CVE