https://feed.craftedsignal.io/tags/windmill/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 07 Apr 2026 17:16:27 +0000https://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/Tue, 07 Apr 2026 17:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability (CVE-2026-22683) that allows users with the Operator role to bypass intended restrictions and perform unauthorized entity creation and modification actions via the backend API, potentially leading to privilege escalation and remote code execution.Windmill, a low-code internal tool platform, contains a critical missing authorization vulnerability, tracked as CVE-2026-22683, affecting versions 1.56.0 through 1.614.0. The vulnerability stems from a failure to properly enforce role-based access controls within the backend API. Specifically, users assigned the “Operator” role, who are intended to have limited privileges and be restricted from creating or modifying entities, can bypass these restrictions. This allows Operators to create and modify scripts, flows, apps, and raw_apps, effectively exceeding their intended permissions. Given that Operators can also execute scripts through the jobs API, this authorization bypass facilitates a direct path to privilege escalation and potentially remote code execution within the Windmill environment. Defenders should prioritize patching and detection efforts to mitigate this risk.

Attack Chain

1. An attacker compromises or is assigned an “Operator” role within the Windmill platform.
2. The attacker authenticates to the Windmill backend API using their Operator credentials.
3. The attacker crafts a malicious API request to create a new script, flow, app, or raw_app, bypassing the intended authorization checks for Operator roles.
4. The Windmill API processes the request without properly validating the Operator’s permissions, allowing the entity creation to proceed.
5. The attacker creates a script containing malicious code designed to escalate privileges or execute arbitrary commands.
6. The attacker utilizes the jobs API to execute the newly created malicious script.
7. The script executes with elevated privileges within the Windmill deployment environment.
8. The attacker achieves remote code execution, potentially compromising the entire Windmill instance and connected resources.

Impact

A successful exploitation of CVE-2026-22683 can lead to complete compromise of the Windmill instance. An attacker leveraging an Operator account can gain remote code execution capabilities. The missing authorization can lead to full control over the Windmill instance, potentially affecting all applications, flows, and scripts managed within the platform. Given the nature of Windmill as an internal tool platform, this could expose sensitive internal data and systems to unauthorized access. The number of affected organizations depends on the adoption rate of Windmill within the affected version range.

Recommendation

• Immediately upgrade Windmill instances to a patched version beyond 1.614.0 to remediate CVE-2026-22683.
• Implement the Sigma rule Detect Windmill Unauthorized Entity Creation to detect attempts to create scripts, flows, apps, or raw_apps from Operator accounts via the API.
• Implement the Sigma rule Detect Windmill Job Execution of Newly Created Entities to detect the execution of scripts, flows, apps or raw_apps that were recently created.
• Monitor Windmill API logs for suspicious activity related to entity creation and modification, focusing on requests originating from Operator accounts.

]]>criticaladvisorywindmillauthorization-bypassprivilege-escalationremote-code-executionhttps://feed.craftedsignal.io/briefs/2026-04-windmill-sqli/Tue, 07 Apr 2026 17:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-windmill-sqli/Windmill CE/EE versions 1.276.0 through 1.603.2 are vulnerable to SQL injection in the folder ownership management, allowing authenticated attackers to inject SQL through the owner parameter, leading to sensitive data access, token forgery, and arbitrary code execution.Windmill CE and EE, versions 1.276.0 through 1.603.2, are susceptible to an SQL injection vulnerability (CVE-2026-23696) affecting the folder ownership management functionality. An authenticated attacker can exploit this flaw by injecting SQL code via the owner parameter. Successful exploitation allows the attacker to read sensitive information, including the JWT signing secret and administrative user identifiers. This access enables them to forge administrative tokens, ultimately leading to arbitrary code execution through the workflow execution endpoints. This vulnerability poses a significant risk to organizations using affected versions of Windmill, potentially leading to data breaches and system compromise.

Attack Chain

1. An attacker authenticates to the Windmill CE/EE instance.
2. The attacker navigates to the folder ownership management section.
3. The attacker crafts a malicious HTTP request to modify folder ownership, injecting SQL code into the owner parameter.
4. The application fails to properly sanitize the input, passing the malicious SQL query to the database.
5. The SQL injection allows the attacker to extract sensitive information from the database, such as the JWT signing secret and administrative user credentials.
6. The attacker uses the extracted JWT signing secret to forge an administrative token.
7. The attacker leverages the forged administrative token to authenticate to the workflow execution endpoint.
8. The attacker executes arbitrary code on the server via the workflow execution endpoint, achieving remote code execution.

Impact

Successful exploitation of CVE-2026-23696 can lead to complete compromise of the Windmill CE/EE instance. An attacker can gain unauthorized access to sensitive data, including credentials and internal application secrets. They can also execute arbitrary code on the server, potentially leading to data breaches, system downtime, and further lateral movement within the network. This vulnerability affects all organizations using Windmill CE/EE versions 1.276.0 through 1.603.2, and can result in significant financial and reputational damage.

Recommendation

• Upgrade Windmill CE/EE to version 1.603.3 or later to patch CVE-2026-23696 as per the vendor’s release notes (https://github.com/windmill-labs/windmill/releases/tag/v1.603.3).
• Deploy the Sigma rule Detect Suspicious Windmill Folder Ownership Modification to identify potential SQL injection attempts within HTTP requests to the folder ownership management endpoint.
• Monitor web server logs for suspicious activity, such as SQL errors or unusual characters in the owner parameter of requests targeting the folder ownership management endpoint (webserver log source).

]]>criticaladvisorysql-injectionrcewindmill