{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/windmill/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-47107"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windmill (\u003c 1.703.2)"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","man-in-the-middle","cve"],"_cs_type":"advisory","_cs_vendors":["Windmill"],"content_html":"\u003cp\u003eWindmill, a low-code internal tool platform, is susceptible to a critical vulnerability (CVE-2026-47107) due to insecure default permissions within its nsjail sandbox configuration. Specifically, the /etc directory is bind-mounted without adequate read-write restrictions. This flaw permits authenticated users to manipulate essential system files such as /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. The vulnerability exists in versions prior to 1.703.2. Successful exploitation allows attackers to poison entries persistently across all subsequent script executions on the compromised worker pod. This can lead to the redirection of hostnames, interception of DNS queries, execution of transparent HTTPS man-in-the-middle attacks, and interception of WM_TOKEN JWTs. This can allow attackers to gain workspace-admin access to victim workspaces across tenants.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user gains access to the Windmill platform.\u003c/li\u003e\n\u003cli\u003eThe user executes a malicious script within a nsjail sandbox.\u003c/li\u003e\n\u003cli\u003eThe script leverages the lack of write restrictions on the /etc directory.\u003c/li\u003e\n\u003cli\u003eThe script writes malicious entries to /etc/hosts to redirect hostnames.\u003c/li\u003e\n\u003cli\u003eAlternatively, the script writes malicious entries to /etc/resolv.conf to intercept DNS queries.\u003c/li\u003e\n\u003cli\u003eThe script could also modify /etc/ssl/certs/ca-certificates.crt to perform HTTPS man-in-the-middle attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts WM_TOKEN JWTs used for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWTs to gain workspace-admin access, escalating privileges and potentially compromising data across tenants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-47107) could lead to significant compromise of the Windmill platform. Attackers can persistently redirect hostnames, intercept DNS queries, perform HTTPS man-in-the-middle attacks, and escalate privileges to gain workspace-admin access. The CVSS v3.1 base score for this vulnerability is 9.6, highlighting the severity. The poisoning of shared worker pods can impact multiple tenants.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Windmill to version 1.703.2 or later to remediate the vulnerability described in CVE-2026-47107.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Modification of /etc/hosts, /etc/resolv.conf, or /etc/ssl/certs/ca-certificates.crt in nsjail Sandbox\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for scripts writing to sensitive files within nsjail environments, using the detection rule and tuning for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T18:18:10Z","date_published":"2026-05-19T18:18:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windmill-nsjail-perms/","summary":"Windmill versions prior to 1.703.2 are vulnerable to incorrect default permissions in the nsjail sandbox configuration, allowing authenticated users to inject malicious entries into critical system files, leading to potential privilege escalation and man-in-the-middle attacks.","title":"Windmill nsjail Sandbox Incorrect Permissions Vulnerability (CVE-2026-47107)","url":"https://feed.craftedsignal.io/briefs/2026-05-windmill-nsjail-perms/"}],"language":"en","title":"CraftedSignal Threat Feed — Windmill","version":"https://jsonfeed.org/version/1.1"}