CVE-2026-23696

9.9 CRITICAL
Published: April 07, 2026 Modified: April 08, 2026
View on NVD

Description

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://apps.nextcloud.com/apps/flow/releases
Source: disclosure@vulncheck.com
https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
Source: disclosure@vulncheck.com
https://github.com/Chocapikk/Windfall
Source: disclosure@vulncheck.com
https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe
Source: disclosure@vulncheck.com
https://github.com/windmill-labs/windmill/releases/tag/v1.603.3
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce
Source: disclosure@vulncheck.com
https://www.windmill.dev/
Source: disclosure@vulncheck.com

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.9 / 10.0
EPSS (Exploit Probability)
0.1%
20th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-89

Related CVEs

CVE-2026-5307 N/A
CVE-2026-2450 N/A
CVE-2024-9168 N/A
CVE-2026-2449 N/A
CVE-2026-2332 7.4