Description
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to Kubernetes secrets
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Juju versions 3.0.0 through 3.6.18 allows a user with permission to run the secret‑set tool to update any secret and to read or update other users’ secrets. When the tool logs an error, the secret is still updated and the new value is visible to both the original owner and the attacker, exposing confidential information and violating integrity. The flaw is a misimplementation of the authorization check identified as CWE–284, CWE–778, and CWE–863.

Affected Systems

Affected systems are installations of Canonical Juju on Kubernetes clusters, specifically any Juju release between 3.0.0 and 3.6.18 inclusive. Users should verify their deployment version and plan to upgrade.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of below 1% suggests low current exploitation likelihood. The vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated user or service account that has been granted secret‑set privileges; the mis‑authorization allows that actor to affect secrets beyond their intended scope.

Generated by OpenCVE AI on March 19, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Juju release that includes the fix (any version newer than 3.6.18).
  • Confirm the upgraded package is the patched version.
  • If immediate upgrade is not possible, limit the use of the secret‑set tool to trusted users and review role‑based access controls to reduce risk.
  • Monitor secret‑management logs for anomalous changes and investigate promptly.

Generated by OpenCVE AI on March 19, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-439w-v2p7-pggc Juju has unauthorized access to out-of-scope Kubernetes secrets
History

Thu, 19 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical juju
Vendors & Products Canonical
Canonical juju

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
Title Unauthorized access to Kubernetes secrets in Juju
Weaknesses CWE-284
CWE-778
CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Canonical Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-18T13:19:58.719Z

Reserved: 2026-03-13T12:53:34.544Z

Link: CVE-2026-32693

cve-icon Vulnrichment

Updated: 2026-03-18T13:18:07.248Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T13:16:18.860

Modified: 2026-03-19T15:17:00.180

Link: CVE-2026-32693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:48Z

Weaknesses