{"id":"CVE-2026-32691","details":"A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.","aliases":["GHSA-gfgr-6hrj-85ww","GO-2026-4769"],"modified":"2026-04-10T05:42:26.252614Z","published":"2026-03-18T13:16:18.163Z","related":["SUSE-SU-2026:1135-1"],"references":[{"type":"ADVISORY","url":"https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/juju/juju","events":[{"introduced":"35c560704ee254219ae0c4a37810bde5278e99bb"},{"fixed":"5a261e58fcd3bd366b36229bfd1c46e6b3b61402"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.6.19"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32691.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}