Plattform
rust
Komponente
windmill
Behoben in
1.664.1
CVE-2026-33881 describes a code injection vulnerability affecting Windmill, an open-source developer platform. This flaw allows an attacker to inject malicious JavaScript into NativeTS scripts by crafting environment variable values containing single quotes. Versions of Windmill prior to 1.664.0 are vulnerable, and a patch has been released to address the issue.
The vulnerability lies in the NativeTS executor's handling of workspace environment variables. Specifically, the platform fails to properly escape single quotes when interpolating these variables into JavaScript string literals. A malicious workspace administrator could leverage this by setting an environment variable with a value containing a single quote followed by arbitrary JavaScript code. This injected code will then execute within every NativeTS script running in that workspace, granting the attacker significant control over the platform's behavior. The potential impact includes data exfiltration, unauthorized code execution, and complete compromise of the affected workspace.
This vulnerability was publicly disclosed on 2026-03-27. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the potential for significant impact and the lack of public exploits, the probability of exploitation is considered medium.
Organizations utilizing Windmill for internal development, particularly those with multiple workspace administrators or shared workspace environments, are at risk. Legacy Windmill deployments and those with relaxed environment variable security policies are especially vulnerable.
• rust / platform: Examine workspace environment variables for suspicious characters or code.
find . -name '*.env' -print0 | xargs -0 grep -E "['].*['" • rust / platform: Monitor NativeTS script execution logs for unexpected JavaScript code or errors. • generic web: Inspect Windmill workspace configurations for unusual environment variable settings. • generic web: Review Windmill access logs for attempts to manipulate environment variables.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
The primary mitigation is to upgrade Windmill to version 1.664.0 or later, which includes a fix for this vulnerability. If upgrading immediately is not feasible, consider restricting workspace administrator privileges to prevent malicious environment variable manipulation. Carefully review all environment variables set within workspaces for suspicious content. While a direct WAF rule is difficult to implement, monitoring for unusual JavaScript execution patterns within NativeTS scripts could provide an early warning sign of exploitation. After upgrading, confirm the fix by attempting to inject a single quote into an environment variable and verifying that the JavaScript is not executed.
Aktualisieren Sie Windmill auf Version 1.664.0 oder höher. Diese Version behebt die Code-Injection-Schwachstelle, die durch die nicht maskierte Interpolation von Workspace-Umgebungsvariablen im NativeTS-Executor verursacht wird. Das Update verhindert, dass böswillige Administratoren beliebiges JavaScript injizieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33881 is a code injection vulnerability in Windmill versions up to 1.664.0. It allows attackers to inject JavaScript by manipulating workspace environment variables.
You are affected if you are using Windmill version 1.664.0 or earlier. Upgrade to 1.664.0 to mitigate the risk.
Upgrade Windmill to version 1.664.0 or later. Restrict workspace administrator privileges as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants caution.
Refer to the Windmill project's official release notes and security advisories for details: [https://windmill.systems/](https://windmill.systems/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Cargo.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.