Description
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing authorization check that allows users with the Operator role to create and modify entities such as scripts, flows, apps, and raw_app objects through the backend API. Operators are documented and priced as unable to perform those actions, yet the API enforces the restriction only on selected endpoints, leaving operators able to add or update scripts. Because operators can execute scripts via the jobs API, the flaw permits an attacker to gain full code execution on the Windmill deployment. This results in complete compromise of confidentiality, integrity, and availability of the system.

Affected Systems

Windmill releases from version 1.56.0 up to, but not including, 1.615.0 are affected. This includes the Windmill Community Edition (CE) and Enterprise Edition (EE) from Windmill Labs, as well as the Flow component of Nextcloud. The issue is resolved in release 1.615.0 and later versions. All deployments running a version in the vulnerable range should be upgraded or otherwise mitigated.

Risk and Exploitability

The flaw rates a CVSS score of 8.7, indicating a high severity vulnerability. While an EPSS score is not published, the flaw's existence for over a year and its wide applicability to multiple Windmill CMS installations suggest a significant likelihood of exploitation. The attack requires only authenticated access as a user with the Operator role, which may be granted to non‑privileged users. Attackers can exploit the vulnerability over the network by sending crafted API requests to the windmill backend, resulting in remote code execution. The vulnerability is not yet listed in the CISA KEV catalog, but the high CVSS and direct RCE potential warrant immediate remediation.

Generated by OpenCVE AI on April 7, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Windmill to version 1.615.0 or later to remove the missing authorization check.
  • If an upgrade is not immediately possible, restrict network access to the Windmill backend API or place it behind a firewall to limit exposure to trusted hosts.
  • Alternatively, remove or downgrade Operator role permissions so operators cannot create or modify scripts, flows, or apps.
  • Verify that no custom plugins or API calls remain that might provide the same privileges.

Generated by OpenCVE AI on April 7, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Windmill
Windmill windmill
CPEs cpe:2.3:a:nextcloud:flow:*:*:*:*:*:*:*:*
cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*
Vendors & Products Windmill
Windmill windmill

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmill
Vendors & Products Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmill

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Title Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nextcloud Flow
Windmill Windmill
Windmill-labs Windmill
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T13:04:17.928Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22683

cve-icon Vulnrichment

Updated: 2026-04-13T13:00:41.979Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:27.037

Modified: 2026-04-24T16:49:50.443

Link: CVE-2026-22683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:39Z

Weaknesses