Juju 3.0.0-3.6.18 Authenticated Unit Agent Race Condition Allows Secret Theft
CVE-2026-32691 Published on March 18, 2026
Timing ownership claim attack on new external back-end secrets
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Vulnerability Analysis
CVE-2026-32691 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Incorrect Ownership Assignment
The software assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors outside of the intended control sphere.
Affected Versions
Canonical Juju:- Version 3.0.0 and below 3.6.19 is affected.