SecuriTricks - CVE-2026-32694

Description

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

Product(s) Impacted

Vendor	Product	Versions
Canonical	Juju	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-343

Predictable Value Range from Previous Values

The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	canonical	juju	/	/	/	/	/	/	/	/

References

https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p

CVSS Score

6.6 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: March 18, 2026, 2:16 p.m.
Last Modified: March 19, 2026, 3:05 p.m.

Status : Analyzed

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

CVE-2026-32694