CVE-2026-32693

Name of the Vulnerable Software and Affected Versions Juju versions 3.0.0 through 3.6.18

Description Juju’s authorization for the 'secret-set' tool is flawed, allowing a grantee to update secret content. Even when an error is logged during an exploitation attempt, the secret is still updated, and the new value becomes visible to both the owner and the grantee. This can lead to reading or updating other secrets. The issue stems from broad Kubernetes access policy, enabling updates without proper authorization checks. Exploitation does not require additional network access or authentication beyond being a designated grantee. The vulnerability impacts applications owning the secret and any third-party applications with access to the same Kubernetes secret backend. The secret-set function is involved in this issue.

Recommendations Versions prior to 3.0.0 are not affected. Versions 3.0.0 through 3.6.18 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.