CVE-2026-32694

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32694

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32694.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32694

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-18T14:16:40.503Z

Modified

2026-04-10T05:42:24.833771Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

References

https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p

Affected packages

Git / github.com/juju/juju

Affected ranges

Type

GIT

Repo

https://github.com/juju/juju

Events

Introduced

35c560704ee254219ae0c4a37810bde5278e99bb

Fixed

5a261e58fcd3bd366b36229bfd1c46e6b3b61402

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.6.19"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32694.json"