Description
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Published: 2026-04-07
Score: 9.4 Critical
EPSS: 5.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw in the folder ownership management of Windmill Community and Enterprise Editions allows an authenticated user to inject arbitrary SQL via the owner parameter. The injection can reveal secrets such as the JWT signing key and admin identifiers, enabling the attacker to forge administrative tokens and execute arbitrary code through workflow execution endpoints, giving full control over the system.

Affected Systems

Windmill CE and EE releases between version 1.276.0 and 1.603.2 contain the vulnerability; the issue is fixed in release 1.603.3. If your environment runs Windmill from the affected range, the flaw applies.

Risk and Exploitability

The CVSS base score of 9.4 classifies the issue as critical. EPSS score of 5% and the vulnerability is not catalogued in CISA's KEV list. Attackers only need legitimate credentials to the Windmill instance to exploit the flaw. Once the SQL injection succeeds, the attacker may read sensitive information, craft a forged token, and invoke workflow endpoints to run arbitrary code, compromising confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 18, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Windmill CE or EE to version 1.603.3 or later.
  • If upgrading early is not possible, restrict exposure of the folder‑ownership management API by blocking the endpoint for non‑privileged users through network or application‑level access controls.
  • As a temporary mitigation, sanitize the owner parameter on input, e.g., by using parameterized queries or input encoding, to prevent SQL injection until a patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmil
Vendors & Products Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmil

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Title Windmill < 1.603.3 File Ownership Handling SQLi RCE
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Nextcloud Flow
Windmill-labs Windmil
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:39.422Z

Reserved: 2026-01-14T22:02:15.209Z

Link: CVE-2026-23696

cve-icon Vulnrichment

Updated: 2026-04-07T18:06:28.119Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T17:16:27.247

Modified: 2026-06-17T10:21:58.120

Link: CVE-2026-23696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')