Race Condition Vulnerability in Juju Secrets Management by Canonical
CVE-2026-32691

5.3MEDIUM

Key Information:

Vendor: Canonical
Status: Juju
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-32691?

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. This occurs during the window between the generation of a Juju Secret ID and the creation of the secret's first revision, enabling an attacker to seize ownership of a known secret. Consequently, the attacking unit gains the ability to read the content of the initial secret revision, potentially exposing sensitive information.

Affected Version(s)

Juju Linux 3.0.0 < 3.6.19

References

https://github.com/juju/juju/security/advisories/GHSA-gfg...

vendor-advisoryvdb-entry

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Harry Pidcock

CVE-2026-32691 Data

JSON