Skip to main content

CVE-2026-23696

| EUVDEUVD-2026-19748 CRITICAL
SQL Injection (CWE-89)
2026-04-07 disclosure@vulncheck.com GHSA-34m2-qrpf-6v7q
9.4
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
PoC Detected
Apr 08, 2026 - 21:27 vuln.today
Public exploit code
EUVD ID Assigned
Apr 07, 2026 - 17:22 euvd
EUVD-2026-19748
Analysis Generated
Apr 07, 2026 - 17:22 vuln.today
CVE Published
Apr 07, 2026 - 17:16 nvd
CRITICAL 9.4

DescriptionCVE.org

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

AnalysisAI

SQL injection in Windmill workflow orchestration platform versions 1.276.0 through 1.603.2 enables authenticated attackers to escalate privileges to administrator and achieve remote code execution. The vulnerability exists in folder ownership management functionality where the owner parameter lacks input sanitization, allowing extraction of JWT signing secrets and administrative user identifiers to forge admin tokens. Publicly available exploit code exists (GitHub POC by Chocapikk), and EPSS risk assessment is critical given the low-complexity remote attack vector requiring only low-privilege authentication. Vendor-released patch: version 1.603.3.

Technical ContextAI

Windmill is a workflow orchestration platform (both Community Edition and Enterprise Edition) that uses folder-based resource organization with ownership management. The vulnerability stems from CWE-89 (SQL Injection) in the folder ownership handling mechanism where user-supplied input in the owner parameter is concatenated directly into SQL queries without parameterization or sanitization. The CVSS 4.0 vector indicates network accessibility with low attack complexity and low privilege requirements. The SQL injection permits arbitrary SELECT queries, enabling attackers to extract cryptographic secrets from the database including JWT signing keys used for session management and authentication. The platform's workflow execution endpoints, which normally require administrative privileges, become accessible once an attacker forges a valid administrative JWT using the exfiltrated signing secret. This transforms a database read vulnerability into a complete system compromise vector through the platform's code execution capabilities inherent to workflow orchestration.

RemediationAI

Upgrade immediately to Windmill version 1.603.3 or later, which contains the vendor-released patch addressing the SQL injection vulnerability via commit 942fb629210ebb287f48467d1535ffde3a3eeafe available at https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe. The fix implements proper parameterized queries for folder ownership operations. After upgrading, rotate all JWT signing secrets as they may have been exfiltrated through prior exploitation, regenerate administrative access tokens, and audit workflow execution logs for unauthorized administrative actions between the deployment date of version 1.276.0 and patch application. No effective workaround exists short of disabling folder ownership modification functionality for non-administrative users, which breaks core platform functionality. Detailed technical analysis and exploitation methodology are documented at https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce and https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/.

Share

CVE-2026-23696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy