Description
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
Published: 2026-03-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch Immediately
AI Analysis

Impact

Windmill is an open-source developer platform that interpolates workspace environment variable values into JavaScript string literals without escaping single quotes in its NativeTS executor. A workspace administrator who sets a custom environment variable containing a single quote can inject arbitrary JavaScript, which then executes inside every NativeTS script running in that workspace. This code injection flaw can lead to unauthorized script execution, manipulation of data, and potential privilege escalation within the workspace environment.

Affected Systems

Windmill Labs’ Windmill platform is affected. All releases prior to version 1.664.0 contain the vulnerability. The issue is specifically in the NativeTS executor’s worker.rs component. Versions 1.664.0 and later include a fix.

Risk and Exploitability

The CVSS score of 7.3 reflects a high severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must have workspace administrator privileges to set the malicious environment variable, so the exploitation vector is internal. Once set, the injected code executes each time a NativeTS script runs, providing persistent code execution within the workspace.

Generated by OpenCVE AI on April 8, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the currently installed Windmill version.
  • Apply the 1.664.0 update or later to remediate the code injection flaw.
  • Confirm that the update has succeeded and that environment variable interpolation is no longer vulnerable.
  • Monitor application logs for any indicators of unauthorized script execution.

Generated by OpenCVE AI on April 8, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Windmill
Windmill windmill
CPEs cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*
Vendors & Products Windmill
Windmill windmill
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Windmill-labs
Windmill-labs windmill
Vendors & Products Windmill-labs
Windmill-labs windmill

Fri, 27 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
Title Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Windmill Windmill
Windmill-labs Windmill
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:36.629Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33881

cve-icon Vulnrichment

Updated: 2026-03-31T13:59:06.461Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:24.693

Modified: 2026-04-08T14:39:08.497

Link: CVE-2026-33881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:01Z

Weaknesses