Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants.
AnalysisAI
Cross-tenant DNS and TLS poisoning in Windmill versions prior to 1.703.2 allows authenticated low-privilege users to write to /etc/hosts, /etc/resolv.conf, and the system CA bundle from inside nsjail script sandboxes, persisting tampered state across every subsequent job on the same worker pod. Because poisoned entries survive between executions, attackers can hijack hostname resolution, perform transparent HTTPS man-in-the-middle, and steal WM_TOKEN JWTs to escalate to workspace-admin in other tenants. Publicly available exploit code exists per SSVC (poc), and CVSS 4.0 rates this 8.6 with high confidentiality and integrity impact.
Technical ContextAI
Windmill is an open-source developer platform for running scripts, flows, and apps; it isolates user-submitted code using nsjail, a Google sandboxing tool built on Linux namespaces and seccomp. The root cause is CWE-276 (Incorrect Default Permissions): the shipped nsjail configuration bind-mounts the host /etc directory into sandboxed jobs without marking it read-only, so the namespaced mount inherits write permissions. Sensitive resolver and trust files - /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt - therefore become writable. Because worker pods reuse the same underlying /etc across job invocations, modifications by one tenant's job persist and are read by later jobs belonging to other tenants, breaking the multi-tenant isolation Windmill's sandbox is supposed to enforce. The affected product per CPE is cpe:2.3:a:windmill-labs:windmill across all versions up to but not including 1.703.2.
RemediationAI
Vendor-released patch: upgrade to Windmill v1.703.2 or later, which corrects the nsjail configuration so /etc is no longer writable from sandboxes (release notes: https://github.com/windmill-labs/windmill/releases/tag/v1.703.2; fix PR https://github.com/windmill-labs/windmill/pull/9194; commit f8467f38c8a053117ce62f96684cfb15ef792f08). For operators who cannot immediately upgrade, the workable compensating controls are to tighten the nsjail mount configuration so /etc, /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt are mounted read-only (mirroring the upstream fix), or to enforce one-tenant-per-worker-pod scheduling so cross-tenant poisoning cannot occur - note this reduces worker density and increases infrastructure cost. As an additional defensive measure, recycle worker pods between jobs (treating them as ephemeral) so any poisoned /etc state is destroyed before the next tenant's job runs, at the cost of higher startup latency. Restricting workspace signup and reviewing which users can submit arbitrary scripts also limits the population of potential attackers.
The Lukasavicus/WindMill repository through 1.0 on GitHub allows absolute path traversal because the Flask send_file fun
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execut
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to vers
JavaScript code injection in Windmill's NativeTS executor allows workspace administrators to achieve remote code executi
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.63
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30958
GHSA-78hq-926c-2xmr