CVE-2026-32693: Juju has unauthorized access to out-of-scope Kubernetes secrets

March 19, 2026

Grantee is able to update secret content using the secret-set tool due to broad Kubernetes access policy. Implications are that it is possible, knowing a Kubernetes secret identifier (e.g. name), to patch without affecting the secret, revealing the value, or, patching while affecting the secrets value.

References

github.com/advisories/GHSA-439w-v2p7-pggc
github.com/juju/juju
github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9
github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc
nvd.nist.gov/vuln/detail/CVE-2026-32693

Code Behaviors & Features

Detect and mitigate CVE-2026-32693 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →