High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 18, 2026
Unauthorized access to Kubernetes secrets in Juju
CVE-2026-32693
Description
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/juju/jujuGo | >= 0.0.0-20221021155847-35c560704ee2, < 0.0.0-20260319091847-d06919eb03ec | 0.0.0-20260319091847-d06919eb03ec |
Affected products
3- ghsa-coords2 versions
>= 0.0.0-20221021155847-35c560704ee2, < 0.0.0-20260319091847-d06919eb03ec+ 1 more
- (no CPE)range: >= 0.0.0-20221021155847-35c560704ee2, < 0.0.0-20260319091847-d06919eb03ec
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-439w-v2p7-pggcghsaADVISORY
- github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggcghsavendor-advisoryvdb-entryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32693ghsaADVISORY
- github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9ghsaWEB
News mentions
0No linked articles in our index yet.