CVE-2026-22683 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 7, 2026
Windmill - Broken Access Control
Published: April 7, 2026Updated: April 7, 2026Remote Exploitable
Overview
Windmill 1.56.0 through 1.614.0 contains a broken access control vulnerability caused by missing authorization checks on workspace API endpoints, letting users with Operator role escalate privileges to remote code execution, exploit requires Operator role.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Operators can escalate privileges to execute arbitrary code remotely, potentially compromising the entire Windmill deployment.
Mitigation
Update to a version later than 1.614.0 or the latest available version.
References
- https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
- https://github.com/Chocapikk/Windfall
- https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b
- https://github.com/windmill-labs/windmill/releases/tag/v1.615.0
- https://www.windmill.dev/
- https://apps.nextcloud.com/apps/flow/releases
Related Resources
Details
- CVE ID
- CVE-2026-22683
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- new
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H