CVE-2026-23696 PUBLISHED

Windmill < 1.603.3 File Ownership Handling SQLi RCE

Assigner: VulnCheck
Reserved: 14.01.2026 Published: 07.04.2026 Updated: 08.04.2026

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Product Status

Vendor Windmill Labs
Product Windmill CE (Community Edition)
Versions Default: unaffected
  • affected from 1.276.0 to 1.603.2 (incl.)
  • Version 1.603.3 is unaffected
Vendor Windmill Labs
Product Windmill EE (Enterprise Edition)
Versions Default: unaffected
  • affected from 1.276.0 to 1.603.2 (incl.)
  • Version 1.603.3 is unaffected
Vendor Nextcloud
Product Flow
Versions Default: unaffected
  • affected from 1.0.0 to 1.2.2 (incl.)
  • Version 1.3.0 is unaffected
  • Version 1.3.1 is unaffected

Credits

  • Valentin Lobstein (Chocapikk) finder

References

Problem Types

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE