Description
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Published: 2026-04-07
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An SQL injection flaw in the folder ownership management of Windmill Community and Enterprise Editions allows an authenticated user to inject arbitrary SQL via the owner parameter. The injection can reveal secrets such as the JWT signing key and admin identifiers, enabling the attacker to forge administrative tokens and execute arbitrary code through workflow execution endpoints, giving full control over the system.

Affected Systems

Windmill CE and EE releases between version 1.276.0 and 1.603.2 contain the vulnerability; the issue is fixed in release 1.603.3. The CNA lists Nextcloud Flow as a vendor, but the description indicates the weakness exists only in Windmill itself, and there is no explicit evidence that Nextcloud Flow is affected. If your environment runs Windmill from the affected range, the flaw applies.

Risk and Exploitability

The CVSS base score of 9.4 classifies the issue as critical. EPSS data is not provided and the vulnerability is not catalogued in CISA's KEV list. Attackers only need legitimate credentials to the Windmill instance to exploit the flaw. Once the SQL injection succeeds, the attacker may read sensitive information, craft a forged token, and invoke workflow endpoints to run arbitrary code, compromising confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 7, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Windmill CE or EE to version 1.603.3 or later.

Generated by OpenCVE AI on April 7, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmil
Vendors & Products Nextcloud
Nextcloud flow
Windmill-labs
Windmill-labs windmil

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Title Windmill < 1.603.3 File Ownership Handling SQLi RCE
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Nextcloud Flow
Windmill-labs Windmil
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-08T03:55:43.162Z

Reserved: 2026-01-14T22:02:15.209Z

Link: CVE-2026-23696

cve-icon Vulnrichment

Updated: 2026-04-07T18:06:28.119Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T17:16:27.247

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-23696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:38Z

Weaknesses