CVE-2026-32694: Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets

March 19, 2026 (updated April 17, 2026)

Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads.

References

github.com/advisories/GHSA-5cj2-rqqf-hx9p
github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9
github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p
nvd.nist.gov/vuln/detail/CVE-2026-32694

Code Behaviors & Features

Detect and mitigate CVE-2026-32694 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →