CVE-2026-32694: Authorization Bypass via Predictable Identifiers and Confused Deputy in Canonical Juju
Vulnerability ID: CVE-2026-32694
CVSS Score: 6.6
Published: 2026-03-19
Canonical Juju versions 3.0.0 through 3.6.18 contain a critical authorization bypass vulnerability within the secret management subsystem. Due to predictable secret identifiers and the absence of provenance verification, a malicious application can leverage a provider application as a confused deputy to access secrets belonging to other applications in the same model.
TL;DR
A predictable ID generation algorithm combined with a lack of provenance checks allows malicious Juju applications to steal secrets from other applications via a Confused Deputy attack.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-639, CWE-343
- Attack Vector: Network
- Privileges Required: High
- CVSS v3.1: 6.6
- Exploit Status: Proof-of-Concept
Affected Systems
- Canonical Juju Controller
- Canonical Juju Agents
- Juju Charms utilizing secret management
-
Juju: >= 3.0.0, <= 3.6.18 (Fixed in:
3.6.19)
Code Analysis
Commit: d06919e
Fix Commit introducing backend token verification and entity resolution changes.
Mitigation Strategies
- Upgrade Juju to version 3.6.19 or later.
- Rotate all existing secrets after upgrading.
- Update provider charms to use
secret-info-getfor provenance verification.
Remediation Steps:
- Deploy Juju version 3.6.19 across all controllers and agents.
- Identify all shared models utilizing Cross-Model Relations (CMR).
- Execute secret rotation procedures for all sensitive configuration data.
- Audit custom charms to ensure implementation of the new provenance verification API.
References
- GitHub Advisory (GHSA-5cj2-rqqf-hx9p)
- Juju Release Notes 3.6.19
- NVD Record
- Fix Commit (d06919eb03ec68156818bcc304b5fe1c39a8f9e9)
Read the full report for CVE-2026-32694 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)