Which versions of Windmill are affected by CVE-2026-33881?

Windmill versions prior to 1.664.0 contain a code injection vulnerability in the NativeTS executor that allows workspace administrators to execute arbitrary code across all TypeScript scripts within…. A patch is available.

How to fix or mitigate CVE-2026-33881?

Within 24 hours: Identify all Windmill installations and document current versions. Within 7 days: Upgrade all affected Windmill instances to version 1.664.0 or later. Within 30 days: Audit workspace administrator accounts and review recent script modifications for suspicious activity; implement principle of least privilege for workspace admin role assignments.

Windmill CVE-2026-33881

Q: What is the CVSS score of CVE-2026-33881?

CVE-2026-33881 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-16820 HIGH

Code Injection (CWE-94)

2026-03-27 GitHub_M

Code Injection RCE Windmill

7.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:12 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.664.0

EUVD ID Assigned

Mar 27, 2026 - 21:15 euvd

EUVD-2026-16820

Analysis Generated

Mar 27, 2026 - 21:15 vuln.today

CVE Published

Mar 27, 2026 - 20:34 nvd

HIGH 7.3

DescriptionGitHub Advisory

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing ' can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in worker.rs, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.

AnalysisAI

JavaScript code injection in Windmill's NativeTS executor allows workspace administrators to achieve remote code execution by embedding malicious payloads in environment variable values. The vulnerability (CWE-94) stems from improper sanitization of single quotes when interpolating workspace environment variables into JavaScript string literals, enabling arbitrary code execution in all NativeTS scripts within the affected workspace. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Workspace admin creates environment variable

Delivery

Sets value containing unescaped single quote

Exploit

Variable interpolated into JavaScript string literal

Execution

Arbitrary JavaScript injected into NativeTS script

Impact

Malicious code executes in worker process