Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
2 vulnerabilities by Windmill Labs
CVE-2026-23696 (GCVE-0-2026-23696)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-04-08 03:55
VLAI?
Title
Windmill < 1.603.3 File Ownership Handling SQLi RCE
Summary
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Severity ?
9.9 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.276.0 , ≤ 1.603.2
(semver)
Unaffected: 1.603.3 |
||||||||||||
|
||||||||||||||
Credits
Valentin Lobstein (Chocapikk)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23696",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T03:55:43.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Flow",
"repo": "https://github.com/nextcloud/flow",
"vendor": "Nextcloud",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.3.0"
},
{
"status": "unaffected",
"version": "1.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:54:36.983Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.603.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.603.3 File Ownership Handling SQLi RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23696",
"datePublished": "2026-04-07T16:50:53.231Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-04-08T03:55:43.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22683 (GCVE-0-2026-22683)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-04-13 13:04
VLAI?
Title
Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Summary
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.56.0 , ≤ 1.614.0
(semver)
Unaffected: 1.615.0 |
||||||||||||
|
||||||||||||||
Credits
Valentin Lobstein (Chocapikk)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T03:55:45.209485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:04:17.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Flow",
"repo": "https://github.com/nextcloud/flow",
"vendor": "Nextcloud",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:55:39.956Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.615.0 Operator Role Missing Authorization Checks RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-22683",
"datePublished": "2026-04-07T16:50:30.297Z",
"dateReserved": "2026-01-08T19:04:26.365Z",
"dateUpdated": "2026-04-13T13:04:17.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}