Cyber Resilience

CVE-2026-32693

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32693 is a high-severity Improper Access Control (CWE-284) vulnerability in Canonical Juju. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32693 is an authorization vulnerability affecting Juju versions 3.0.0 through 3.6.18. The issue lies in the improper authorization checks for the "secret-set" tool, enabling a grantee to update secret content and potentially read or update other secrets. Additionally, even when the tool logs an error during an exploitation attempt, the secret is still updated unexpectedly, making the new value visible to both the owner and the grantee. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 284 (Improper Access Control), 778 (Insufficient Logging), and 863 (Incorrect Authorization).

An attacker with low privileges, specifically a grantee of a secret, can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, including unauthorized updates to secret content, reading of other secrets, and persistent changes that remain visible despite error logging.

Mitigation details are available in the GitHub Security Advisory at https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs…

more

an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in network-reachable secret management tool directly enables remote exploitation of the application (T1190) and subsequent unauthorized access/modification of secrets (privilege escalation, T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4370Same product: Canonical Juju
CVE-2025-53513Same product: Canonical Juju
CVE-2025-0928Same product: Canonical Juju
CVE-2026-5412Same product: Canonical Juju
CVE-2026-32692Same product: Canonical Juju
CVE-2026-34179Same vendor: Canonical
CVE-2026-47331Same vendor: Canonical
CVE-2026-3888Same vendor: Canonical
CVE-2026-47333Same vendor: Canonical
CVE-2026-34177Same vendor: Canonical

Affected Assets

canonical
juju
3.0.0 — 3.6.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to secrets, directly preventing grantees from improperly updating secret content due to flawed authorization checks.

preventrecover

Requires timely identification, reporting, and remediation of the specific authorization flaw in Juju's secret-set tool, eliminating the vulnerability through patching.

prevent

Bounds error conditions and prevents unintended secret updates when authorization fails during secret-set operations, even if errors are logged.

References