Skip to main content

Windmill CVE-2026-47107

| EUVDEUVD-2026-30958 HIGH
Incorrect Default Permissions (CWE-276)
2026-05-19 VulnCheck GHSA-78hq-926c-2xmr
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
May 20, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Severity Changed
May 20, 2026 - 13:22 NVD
CRITICAL HIGH
CVSS changed
May 20, 2026 - 13:22 NVD
9.3 (CRITICAL) 8.6 (HIGH)
Analysis Updated
May 19, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 18:22 NVD
9.6 (CRITICAL) 9.3 (CRITICAL)
Source Code Evidence Fetched
May 19, 2026 - 18:00 vuln.today
Analysis Generated
May 19, 2026 - 18:00 vuln.today

DescriptionCVE.org

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants.

AnalysisAI

Cross-tenant DNS and TLS poisoning in Windmill versions prior to 1.703.2 allows authenticated low-privilege users to write to /etc/hosts, /etc/resolv.conf, and the system CA bundle from inside nsjail script sandboxes, persisting tampered state across every subsequent job on the same worker pod. Because poisoned entries survive between executions, attackers can hijack hostname resolution, perform transparent HTTPS man-in-the-middle, and steal WM_TOKEN JWTs to escalate to workspace-admin in other tenants. Publicly available exploit code exists per SSVC (poc), and CVSS 4.0 rates this 8.6 with high confidentiality and integrity impact.

Technical ContextAI

Windmill is an open-source developer platform for running scripts, flows, and apps; it isolates user-submitted code using nsjail, a Google sandboxing tool built on Linux namespaces and seccomp. The root cause is CWE-276 (Incorrect Default Permissions): the shipped nsjail configuration bind-mounts the host /etc directory into sandboxed jobs without marking it read-only, so the namespaced mount inherits write permissions. Sensitive resolver and trust files - /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt - therefore become writable. Because worker pods reuse the same underlying /etc across job invocations, modifications by one tenant's job persist and are read by later jobs belonging to other tenants, breaking the multi-tenant isolation Windmill's sandbox is supposed to enforce. The affected product per CPE is cpe:2.3:a:windmill-labs:windmill across all versions up to but not including 1.703.2.

RemediationAI

Vendor-released patch: upgrade to Windmill v1.703.2 or later, which corrects the nsjail configuration so /etc is no longer writable from sandboxes (release notes: https://github.com/windmill-labs/windmill/releases/tag/v1.703.2; fix PR https://github.com/windmill-labs/windmill/pull/9194; commit f8467f38c8a053117ce62f96684cfb15ef792f08). For operators who cannot immediately upgrade, the workable compensating controls are to tighten the nsjail mount configuration so /etc, /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt are mounted read-only (mirroring the upstream fix), or to enforce one-tenant-per-worker-pod scheduling so cross-tenant poisoning cannot occur - note this reduces worker density and increases infrastructure cost. As an additional defensive measure, recycle worker pods between jobs (treating them as ephemeral) so any poisoned /etc state is destroyed before the next tenant's job runs, at the cost of higher startup latency. Restricting workspace signup and reviewing which users can submit arbitrary scripts also limits the population of potential attackers.

Share

CVE-2026-47107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy