CVE-2026-32693
Published: 18 March 2026
Summary
CVE-2026-32693 is a high-severity Improper Access Control (CWE-284) vulnerability in Canonical Juju. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to secrets, directly preventing grantees from improperly updating secret content due to flawed authorization checks.
Requires timely identification, reporting, and remediation of the specific authorization flaw in Juju's secret-set tool, eliminating the vulnerability through patching.
Bounds error conditions and prevents unintended secret updates when authorization fails during secret-set operations, even if errors are logged.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in network-reachable secret management tool directly enables remote exploitation of the application (T1190) and subsequent unauthorized access/modification of secrets (privilege escalation, T1068).
NVD Description
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs…
more
an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
Deeper analysisAI
CVE-2026-32693 is an authorization vulnerability affecting Juju versions 3.0.0 through 3.6.18. The issue lies in the improper authorization checks for the "secret-set" tool, enabling a grantee to update secret content and potentially read or update other secrets. Additionally, even when the tool logs an error during an exploitation attempt, the secret is still updated unexpectedly, making the new value visible to both the owner and the grantee. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 284 (Improper Access Control), 778 (Insufficient Logging), and 863 (Incorrect Authorization).
An attacker with low privileges, specifically a grantee of a secret, can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, including unauthorized updates to secret content, reading of other secrets, and persistent changes that remain visible despite error logging.
Mitigation details are available in the GitHub Security Advisory at https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc.
Details
- CWE(s)