{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/windmill/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-22683"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["windmill","authorization-bypass","privilege-escalation","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWindmill, a low-code internal tool platform, contains a critical missing authorization vulnerability, tracked as CVE-2026-22683, affecting versions 1.56.0 through 1.614.0. The vulnerability stems from a failure to properly enforce role-based access controls within the backend API. Specifically, users assigned the \u0026ldquo;Operator\u0026rdquo; role, who are intended to have limited privileges and be restricted from creating or modifying entities, can bypass these restrictions.  This allows Operators to create and modify scripts, flows, apps, and raw_apps, effectively exceeding their intended permissions. Given that Operators can also execute scripts through the jobs API, this authorization bypass facilitates a direct path to privilege escalation and potentially remote code execution within the Windmill environment. Defenders should prioritize patching and detection efforts to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or is assigned an \u0026ldquo;Operator\u0026rdquo; role within the Windmill platform.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Windmill backend API using their Operator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to create a new script, flow, app, or raw_app, bypassing the intended authorization checks for Operator roles.\u003c/li\u003e\n\u003cli\u003eThe Windmill API processes the request without properly validating the Operator\u0026rsquo;s permissions, allowing the entity creation to proceed.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a script containing malicious code designed to escalate privileges or execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the jobs API to execute the newly created malicious script.\u003c/li\u003e\n\u003cli\u003eThe script executes with elevated privileges within the Windmill deployment environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially compromising the entire Windmill instance and connected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-22683 can lead to complete compromise of the Windmill instance. An attacker leveraging an Operator account can gain remote code execution capabilities. The missing authorization can lead to full control over the Windmill instance, potentially affecting all applications, flows, and scripts managed within the platform. Given the nature of Windmill as an internal tool platform, this could expose sensitive internal data and systems to unauthorized access. The number of affected organizations depends on the adoption rate of Windmill within the affected version range.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Windmill instances to a patched version beyond 1.614.0 to remediate CVE-2026-22683.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Windmill Unauthorized Entity Creation\u003c/code\u003e to detect attempts to create scripts, flows, apps, or raw_apps from Operator accounts via the API.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Windmill Job Execution of Newly Created Entities\u003c/code\u003e to detect the execution of scripts, flows, apps or raw_apps that were recently created.\u003c/li\u003e\n\u003cli\u003eMonitor Windmill API logs for suspicious activity related to entity creation and modification, focusing on requests originating from Operator accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:27Z","date_published":"2026-04-07T17:16:27Z","id":"/briefs/2024-02-29-windmill-auth-bypass/","summary":"Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability (CVE-2026-22683) that allows users with the Operator role to bypass intended restrictions and perform unauthorized entity creation and modification actions via the backend API, potentially leading to privilege escalation and remote code execution.","title":"Windmill Missing Authorization Vulnerability (CVE-2026-22683)","url":"https://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-23696"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-injection","rce","windmill"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWindmill CE and EE, versions 1.276.0 through 1.603.2, are susceptible to an SQL injection vulnerability (CVE-2026-23696) affecting the folder ownership management functionality. An authenticated attacker can exploit this flaw by injecting SQL code via the \u003ccode\u003eowner\u003c/code\u003e parameter. Successful exploitation allows the attacker to read sensitive information, including the JWT signing secret and administrative user identifiers. This access enables them to forge administrative tokens, ultimately leading to arbitrary code execution through the workflow execution endpoints. This vulnerability poses a significant risk to organizations using affected versions of Windmill, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Windmill CE/EE instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the folder ownership management section.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to modify folder ownership, injecting SQL code into the \u003ccode\u003eowner\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection allows the attacker to extract sensitive information from the database, such as the JWT signing secret and administrative user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted JWT signing secret to forge an administrative token.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the forged administrative token to authenticate to the workflow execution endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server via the workflow execution endpoint, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-23696 can lead to complete compromise of the Windmill CE/EE instance. An attacker can gain unauthorized access to sensitive data, including credentials and internal application secrets. They can also execute arbitrary code on the server, potentially leading to data breaches, system downtime, and further lateral movement within the network. This vulnerability affects all organizations using Windmill CE/EE versions 1.276.0 through 1.603.2, and can result in significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Windmill CE/EE to version 1.603.3 or later to patch CVE-2026-23696 as per the vendor\u0026rsquo;s release notes (\u003ca href=\"https://github.com/windmill-labs/windmill/releases/tag/v1.603.3\"\u003ehttps://github.com/windmill-labs/windmill/releases/tag/v1.603.3\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Windmill Folder Ownership Modification\u003c/code\u003e to identify potential SQL injection attempts within HTTP requests to the folder ownership management endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as SQL errors or unusual characters in the \u003ccode\u003eowner\u003c/code\u003e parameter of requests targeting the folder ownership management endpoint (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:27Z","date_published":"2026-04-07T17:16:27Z","id":"/briefs/2026-04-windmill-sqli/","summary":"Windmill CE/EE versions 1.276.0 through 1.603.2 are vulnerable to SQL injection in the folder ownership management, allowing authenticated attackers to inject SQL through the owner parameter, leading to sensitive data access, token forgery, and arbitrary code execution.","title":"Windmill CE/EE SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-windmill-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Windmill","version":"https://jsonfeed.org/version/1.1"}