CVE-2026-32694 Insecure Direct Object Reference attack via predictable secret ID in Juju

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...

PT-2026-26059

Summary Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads. Details A Juju application can create a secret and grant it to another integrated application grantee. When they do so, the secret owner has to communicate the secret id to the grantee. T...