QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23696

Published: Apr 7, 2026

Modified: May 25, 2026

PUBLISHED

CVSS v3.1

9.9

CRITICAL

Description

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

Vendor	Product	Versions
Windmill Labs	Windmill CE (Community Edition)	affected `1.276.0 - <= 1.603.2` unaffected `1.603.3`
Windmill Labs	Windmill EE (Enterprise Edition)	affected `1.276.0 - <= 1.603.2` unaffected `1.603.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/

technical-description

exploit

https://github.com/Chocapikk/Windfall

exploit

https://github.com/windmill-labs/windmill/releases/tag/v1.603.3

release-notes

https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe

patch

https://www.windmill.dev/

product

https://apps.nextcloud.com/apps/flow/releases

release-notes

https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.