Description
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach
Action: Patch
AI Analysis

Impact

The vulnerability is a race condition in Juju's secrets subsystem present in versions 3.0.0 to 3.6.18. During the period between secret ID generation and creation of the first revision, an attacker with unit agent credentials can claim ownership of a known secret. After claiming ownership, the attacker can read the contents of that secret's first revision. This is a confidentiality breach classified under CWE‑708.

Affected Systems

Canonically Juju deployments running any version between 3.0.0 and 3.6.18 inclusive. The vulnerability is limited to authenticated unit agents within a Juju cluster.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS is less than 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in KEV. The attack vector requires local authenticated access to a unit agent; an attacker who can execute code as a unit agent can exploit the race condition by timing the claim before the secret first revision is created.

Generated by OpenCVE AI on March 19, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Juju 3.6.19 or later to eliminate the race condition.
  • Verify that the current running Juju version is 3.6.19 or newer.
  • If an upgrade cannot be performed immediately, restrict unit agent permissions to prevent unauthorized secret creation and monitor for suspicious secret claims.

Generated by OpenCVE AI on March 19, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfgr-6hrj-85ww Juju affected by timing ownership claim attack on new external back-end secrets
History

Thu, 19 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical juju
Vendors & Products Canonical
Canonical juju

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Title Timing ownership claim attack on new external back-end secrets
Weaknesses CWE-708
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Canonical Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-18T13:49:09.338Z

Reserved: 2026-03-13T12:53:34.544Z

Link: CVE-2026-32691

cve-icon Vulnrichment

Updated: 2026-03-18T13:47:05.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T13:16:18.163

Modified: 2026-03-19T15:34:39.153

Link: CVE-2026-32691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:49Z

Weaknesses