Home

Description

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.

PUBLISHED Reserved 2026-01-08 | Published 2026-04-07 | Updated 2026-04-13 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

1.56.0 (semver)
affected

1.615.0
unaffected

Default status
unaffected

1.56.0 (semver)
affected

1.615.0
unaffected

Default status
unaffected

1.0.0 (semver)
affected

Credits

Valentin Lobstein (Chocapikk) finder

References

chocapikk.com/.../2026/windfall-nextcloud-flow-windmill-rce/ technical-description exploit

github.com/Chocapikk/Windfall exploit

github.com/windmill-labs/windmill/releases/tag/v1.615.0 release-notes

github.com/...ommit/c621a74804f4f6e8318819c01e3a23a17698588b patch

www.windmill.dev/ product

apps.nextcloud.com/apps/flow/releases release-notes

cve.org (CVE-2026-22683)

nvd.nist.gov (CVE-2026-22683)

Download JSON