EUVD-2026-19747
GHSA-9q9g-rp9x-244h
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
AnalysisAI
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Windmill versions 1.56.0–1.614.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H) with low attack complexity and no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with compromised Operator credentials (obtained via phishing, credential stuffing, or insider access) authenticates to a Windmill instance and issues POST requests to the workspace scripts API endpoint to create a malicious Python script containing reverse shell code. The API accepts the request despite the Operator role prohibition, persisting the script in the workspace. … |
| Remediation | Upgrade immediately to Windmill version 1.615.0 or later, which implements proper authorization checks on workspace API endpoints via commit c621a74804f4f6e8318819c01e3a23a17698588b. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Windmill deployments in your environment and determine if any run versions 1.56.0-1.614.0; audit all Operator role assignments and document which accounts hold this privilege. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today