Vulnerability Details CVE-2026-32691
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.6%
CVSS Severity
CVSS v3 Score 5.3
Products affected by CVE-2026-32691
-
cpe:2.3:a:canonical:juju:3.1
-
cpe:2.3:a:canonical:juju:3.1.0
-
cpe:2.3:a:canonical:juju:3.1.1
-
cpe:2.3:a:canonical:juju:3.1.10
-
cpe:2.3:a:canonical:juju:3.1.2
-
cpe:2.3:a:canonical:juju:3.1.3
-
cpe:2.3:a:canonical:juju:3.1.4
-
cpe:2.3:a:canonical:juju:3.1.5
-
cpe:2.3:a:canonical:juju:3.1.6
-
cpe:2.3:a:canonical:juju:3.1.7
-
cpe:2.3:a:canonical:juju:3.1.8
-
cpe:2.3:a:canonical:juju:3.1.9
-
cpe:2.3:a:canonical:juju:3.2
-
cpe:2.3:a:canonical:juju:3.3
-
cpe:2.3:a:canonical:juju:3.3.0
-
cpe:2.3:a:canonical:juju:3.3.1
-
cpe:2.3:a:canonical:juju:3.3.2
-
cpe:2.3:a:canonical:juju:3.3.3
-
cpe:2.3:a:canonical:juju:3.3.4
-
cpe:2.3:a:canonical:juju:3.3.5
-
cpe:2.3:a:canonical:juju:3.3.6
-
cpe:2.3:a:canonical:juju:3.3.7
-
cpe:2.3:a:canonical:juju:3.4
-
cpe:2.3:a:canonical:juju:3.4.1
-
cpe:2.3:a:canonical:juju:3.4.2
-
cpe:2.3:a:canonical:juju:3.4.3
-
cpe:2.3:a:canonical:juju:3.4.4
-
cpe:2.3:a:canonical:juju:3.4.5
-
cpe:2.3:a:canonical:juju:3.4.6
-
cpe:2.3:a:canonical:juju:3.5
-
cpe:2.3:a:canonical:juju:3.5.0
-
cpe:2.3:a:canonical:juju:3.5.1
-
cpe:2.3:a:canonical:juju:3.5.2
-
cpe:2.3:a:canonical:juju:3.5.3
-
cpe:2.3:a:canonical:juju:3.5.4
-
cpe:2.3:a:canonical:juju:3.5.5
-
cpe:2.3:a:canonical:juju:3.5.6
-
cpe:2.3:a:canonical:juju:3.5.7
-
cpe:2.3:a:canonical:juju:3.6