GHSA-89x7-5m5m-mcmm

Suggest an improvement
Source
https://github.com/advisories/GHSA-89x7-5m5m-mcmm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-89x7-5m5m-mcmm/GHSA-89x7-5m5m-mcmm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-89x7-5m5m-mcmm
Aliases
Published
2026-03-19T17:32:24Z
Modified
2026-03-23T18:56:21.674921Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Juju has unauthorized update of out-of-scope Vault secrets
Details

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.

Impact

An authenticated unit agent can update any secret revision of a Vault back-end that the unit's model uses. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.

Patches

3.6.19

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2026-03-18T13:16:18Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "github_reviewed_at": "2026-03-19T17:32:24Z"
}
References

Affected packages

Go / github.com/juju/juju

Package

Name
github.com/juju/juju
View open source insights on deps.dev
Purl
pkg:golang/github.com/juju/juju

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-20230919230135-f6a66aa91eec
Fixed
0.0.0-20260319091847-d06919eb03ec

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-89x7-5m5m-mcmm/GHSA-89x7-5m5m-mcmm.json"