CVE-2026-32691 Overview
A race condition vulnerability exists in the secrets management subsystem of Canonical Juju, an open-source application modeling tool used for deploying, configuring, and managing applications on cloud infrastructure. The flaw allows an authenticated unit agent to exploit a timing window between secret ID generation and the creation of the secret's first revision, enabling unauthorized ownership claims of newly initialized secrets.
Critical Impact
An authenticated attacker can intercept and claim ownership of secrets during initialization, gaining unauthorized read access to sensitive configuration data and credentials stored in the Juju secrets management system.
Affected Products
- Canonical Juju versions 3.0.0 through 3.6.18
Discovery Timeline
- 2026-03-18 - CVE-2026-32691 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32691
Vulnerability Analysis
This vulnerability is classified as a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-708) that affects the secrets management workflow in Juju. The flaw exists in the two-phase process of secret creation: first, a unique Secret ID is generated, and then a separate operation creates the first revision of the secret with its actual content.
The network-accessible nature of this vulnerability means that authenticated unit agents on the same Juju controller can potentially exploit this timing window. However, successful exploitation requires precise timing and authentication as a unit agent within the same Juju environment, which increases the complexity of the attack.
When exploited, an attacker gains read access to the initial secret revision, which may contain sensitive data such as database credentials, API keys, TLS certificates, or other configuration secrets that Juju manages for deployed applications.
Root Cause
The root cause is an improper resolution of the race condition in the secrets management subsystem. The vulnerability arises because the secret ownership assignment is not atomically linked to the secret creation process. The temporal gap between generating a Juju Secret ID and establishing the first revision creates an exploitable window where another authenticated unit agent can intercept and claim ownership before the legitimate owner completes the initialization.
This design flaw violates the principle of atomic operations for security-sensitive actions, where the generation of an identifier and the binding of ownership should occur as an indivisible transaction.
Attack Vector
The attack requires network access and authentication as a unit agent within the Juju environment. An attacker who has compromised or controls a unit agent on the same Juju controller can monitor for secret initialization events and attempt to race the legitimate owner by submitting an ownership claim for the newly generated Secret ID.
The attack flow involves:
- Attacker gains authentication as a unit agent within the Juju controller
- Attacker monitors or predicts secret initialization events
- When a new Secret ID is generated, the attacker races to claim ownership
- If successful, the attacker can read the contents of the initial secret revision
Due to the high attack complexity required (timing precision and pre-existing authenticated access), exploitation in practice is challenging but not impossible in environments where unit agent credentials may be exposed or shared.
Detection Methods for CVE-2026-32691
Indicators of Compromise
- Unexpected secret ownership changes in Juju audit logs
- Multiple unit agents attempting to claim the same Secret ID within milliseconds
- Anomalous patterns of secret access from unit agents that did not create those secrets
- Rapid succession of secret creation and ownership claim API calls from different agents
Detection Strategies
- Enable comprehensive audit logging on the Juju controller to track all secret management operations
- Monitor for secret ownership claims that originate from unit agents different from the expected creator
- Implement alerting for race condition patterns: multiple ownership claims for the same Secret ID within a short time window
- Review unit agent authentication patterns for anomalous behavior
Monitoring Recommendations
- Configure Juju controller audit logs to capture all secrets API operations with timestamps
- Deploy log aggregation and analysis to correlate secret creation events with ownership claims
- Establish baselines for normal secret management operations to identify deviations
- Monitor network traffic between unit agents and the Juju controller for unusual API call patterns
How to Mitigate CVE-2026-32691
Immediate Actions Required
- Upgrade Canonical Juju to a patched version beyond 3.6.18
- Review Juju audit logs for evidence of exploitation or suspicious secret ownership patterns
- Rotate any secrets that may have been exposed during the vulnerable window
- Restrict network access to the Juju controller to limit the attack surface
Patch Information
Canonical has released security updates to address this vulnerability. Organizations should upgrade their Juju installations to the latest patched versions. For detailed remediation guidance, refer to the GitHub Security Advisory GHSA-gfgr-6hrj-85ww.
The fix likely implements atomic secret creation and ownership binding to eliminate the race condition window.
Workarounds
- Limit the number of unit agents with access to the Juju controller to reduce the pool of potential attackers
- Implement additional network segmentation to isolate unit agents from each other
- Monitor and audit all secret management operations until patches can be applied
- Consider temporarily avoiding the creation of new highly sensitive secrets until the environment is patched
# Check current Juju version
juju version
# Upgrade Juju controller (example for snap installation)
sudo snap refresh juju --channel=latest/stable
# Review audit logs for suspicious secret operations
juju debug-log --replay | grep -i "secret"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
