Description
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file read
Action: Apply Patch
AI Analysis

Impact

Windmill, an open‑source developer platform, contains a path‑traversal vulnerability in the get_log_file endpoint. An unauthenticated attacker can append '../' sequences to the filename parameter, causing the application to read arbitrary files from the server’s file system. This permits access to sensitive configuration files or credentials, resulting in a breach of confidentiality.

Affected Systems

The vulnerability affects windmill-labs Windmill versions released before 1.603.3. Any deployment using a pre‑1.603.3 release with the /api/w/{workspace}/jobs_u/get_log_file/{filename} endpoint is susceptible.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, while the EPSS of <1% indicates a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation. An attacker can exploit the path traversal by sending a crafted GET request over the network without authentication, gaining read access to arbitrary server files and potentially exposing secrets or credentials.

Generated by OpenCVE AI on April 15, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Windmill to version 1.603.3 or later, which fixes the path traversal flaw.
  • If an immediate upgrade is not possible, block external access to the /api/w/... endpoint or enforce authentication to prevent unauthenticated use.
  • Add application‑layer protection such as a WAF rule or input sanitization logic to detect and reject relative path sequences, and consider tightening file system permissions on log directories.

Generated by OpenCVE AI on April 15, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Windmill
Windmill windmill
CPEs cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*
Vendors & Products Windmill
Windmill windmill
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Windmill-labs
Windmill-labs windmill
Vendors & Products Windmill-labs
Windmill-labs windmill

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.
Title Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Windmill Windmill
Windmill-labs Windmill
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:16:12.488Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29059

cve-icon Vulnrichment

Updated: 2026-03-09T20:01:38.640Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T08:16:26.437

Modified: 2026-04-14T17:48:25.300

Link: CVE-2026-29059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses