Home

Description

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to other users' workspaces.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-19 | Updated 2026-05-20 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Incorrect Default Permissions

Product status

Default status
affected

Any version before 1.703.2
affected

f8467f38c8a053117ce62f96684cfb15ef792f08 (git)
unaffected

Credits

Shai Dvash finder

References

github.com/windmill-labs/windmill/pull/9194 exploit

github.com/windmill-labs/windmill/releases/tag/v1.703.2 release-notes

github.com/windmill-labs/windmill/pull/9194 issue-tracking

github.com/...ommit/f8467f38c8a053117ce62f96684cfb15ef792f08 patch

www.vulncheck.com/...ult-permissions-in-nsjail-configuration

cve.org (CVE-2026-47107)

nvd.nist.gov (CVE-2026-47107)

Download JSON