CVE-2026-23696 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 7, 2026
Windmill CE & EE - SQL Injection
Published: April 7, 2026Updated: April 7, 2026Remote Exploitable
Overview
Windmill CE and EE 1.276.0 through 1.603.2 contain an SQL injection caused by improper sanitization of the owner parameter in folder ownership management, letting authenticated attackers read sensitive data and execute arbitrary code via workflow endpoints.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Authenticated attackers can read sensitive data, forge admin tokens, and execute arbitrary code, leading to full system compromise.
Mitigation
Update to the latest version beyond 1.603.2.
References
- https://apps.nextcloud.com/apps/flow/releases
- https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
- https://github.com/Chocapikk/Windfall
- https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe
- https://github.com/windmill-labs/windmill/releases/tag/v1.603.3
- https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce
- https://www.windmill.dev/
Related Resources
Details
- CVE ID
- CVE-2026-23696
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H