Search
Find a vulnerability
Search criteria
2 vulnerabilities by Windmill Labs
CVE-2026-23696 (GCVE-0-2026-23696)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-05-25 23:41
VLAI
Title
Windmill < 1.603.3 File Ownership Handling SQLi RCE
Summary
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://chocapikk.com/posts/2026/windfall-nextclo… | technical-descriptionexploit |
| https://github.com/Chocapikk/Windfall | exploit |
| https://github.com/windmill-labs/windmill/release… | release-notes |
| https://github.com/windmill-labs/windmill/commit/… | patch |
| https://www.windmill.dev/ | product |
| https://apps.nextcloud.com/apps/flow/releases | release-notes |
| https://www.vulncheck.com/advisories/windmill-fil… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.276.0 , ≤ 1.603.2
(semver)
Unaffected: 1.603.3 |
|
| Windmill Labs | Windmill EE (Enterprise Edition) |
Affected:
1.276.0 , ≤ 1.603.2
(semver)
Unaffected: 1.603.3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23696",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T03:55:43.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:39.422Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.603.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.603.3 File Ownership Handling SQLi RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23696",
"datePublished": "2026-04-07T16:50:53.231Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-05-25T23:41:39.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22683 (GCVE-0-2026-22683)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-05-25 23:41
VLAI
Title
Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Summary
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://chocapikk.com/posts/2026/windfall-nextclo… | technical-descriptionexploit |
| https://github.com/Chocapikk/Windfall | exploit |
| https://github.com/windmill-labs/windmill/release… | release-notes |
| https://github.com/windmill-labs/windmill/commit/… | patch |
| https://www.windmill.dev/ | product |
| https://apps.nextcloud.com/apps/flow/releases | release-notes |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.56.0 , ≤ 1.614.0
(semver)
Unaffected: 1.615.0 |
|
| Windmill Labs | Windmill EE (Enterprise Edition) |
Affected:
1.56.0 , ≤ 1.614.0
(semver)
Unaffected: 1.615.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T03:55:45.209485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:04:17.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:38.739Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.615.0 Operator Role Missing Authorization Checks RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-22683",
"datePublished": "2026-04-07T16:50:30.297Z",
"dateReserved": "2026-01-08T19:04:26.365Z",
"dateUpdated": "2026-05-25T23:41:38.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}