CVE-2026-32692: Juju has unauthorized update of out-of-scope Vault secrets

March 19, 2026

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.

References

github.com/advisories/GHSA-89x7-5m5m-mcmm
github.com/juju/juju
github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9
github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm
nvd.nist.gov/vuln/detail/CVE-2026-32692

Code Behaviors & Features

Detect and mitigate CVE-2026-32692 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →