CVE-2026-23696 | THREATINT

Description

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

PUBLISHED Reserved 2026-01-14 | Published 2026-04-07 | Updated 2026-04-08 | Assigner VulnCheck

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

1.276.0 (semver)

affected

1.603.3

unaffected

Default status

unaffected

1.276.0 (semver)

affected

1.603.3

unaffected

Default status

unaffected

1.0.0 (semver)

affected

1.3.0

unaffected

1.3.1

unaffected

Credits

Valentin Lobstein (Chocapikk) finder

References

chocapikk.com/.../2026/windfall-nextcloud-flow-windmill-rce/ technical-description exploit

github.com/Chocapikk/Windfall exploit

github.com/windmill-labs/windmill/releases/tag/v1.603.3 release-notes

github.com/...ommit/942fb629210ebb287f48467d1535ffde3a3eeafe patch

www.windmill.dev/ product

apps.nextcloud.com/apps/flow/releases release-notes

www.vulncheck.com/...ndmill-file-ownership-handling-sqli-rce third-party-advisory

cve.org (CVE-2026-23696)

nvd.nist.gov (CVE-2026-23696)

Download JSON

help @ threatint.eu