FKIE_CVE-2026-22683

Vulnerability from fkie_nvd - Published: 2026-04-07 17:16 - Updated: 2026-04-24 16:49
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
References
disclosure@vulncheck.comhttps://apps.nextcloud.com/apps/flow/releasesRelease Notes
disclosure@vulncheck.comhttps://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/Vendor Advisory
disclosure@vulncheck.comhttps://github.com/Chocapikk/WindfallProduct
disclosure@vulncheck.comhttps://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588bPatch
disclosure@vulncheck.comhttps://github.com/windmill-labs/windmill/releases/tag/v1.615.0Release Notes
disclosure@vulncheck.comhttps://www.windmill.dev/Product
Impacted products
Vendor Product Version
nextcloud flow *
windmill windmill *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:flow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "390C858F-42E9-41D5-AE97-11242088C2F0",
              "versionEndIncluding": "1.2.2",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC07ED1D-F0A4-4A59-AA24-52BF463E7D2D",
              "versionEndIncluding": "1.614.0",
              "versionStartIncluding": "1.56.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
    }
  ],
  "id": "CVE-2026-22683",
  "lastModified": "2026-04-24T16:49:50.443",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "disclosure@vulncheck.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T17:16:27.037",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://apps.nextcloud.com/apps/flow/releases"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/Chocapikk/Windfall"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.windmill.dev/"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.