Scan free
CRITICALCVE-2026-23696CVSS 9.9

CVE-2026-23696: RCE in Windmill Folder Ownership

Platform

nodejs

Component

windmill-labs/windmill

Fixed in

1.603.3

1.603.3

1.603.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-23696 is a critical Remote Code Execution (RCE) vulnerability discovered in Windmill CE and EE versions 1.276.0 through 1.603.2. This vulnerability allows authenticated attackers to inject malicious SQL code through the folder ownership management functionality. Successful exploitation could lead to the compromise of sensitive data and complete system takeover. The vulnerability is fixed in version 1.603.3.

Impact and Attack Scenarios

The impact of CVE-2026-23696 is severe. An attacker exploiting this SQL injection vulnerability can read sensitive data, including the JWT signing secret used for authentication and administrative user identifiers. With access to the JWT signing secret, an attacker can forge administrative tokens, effectively impersonating an administrator. This allows them to execute arbitrary code via the workflow execution endpoints, granting them full control over the Windmill instance. The potential for data exfiltration, system modification, and denial of service is significant. This vulnerability shares similarities with other SQL injection attacks where sensitive credentials and configuration data are exposed, potentially leading to widespread compromise.

Exploitation Context

CVE-2026-23696 was publicly disclosed on 2026-04-07. The vulnerability's criticality (CVSS 9.9) and the potential for JWT secret compromise suggest a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the ease of exploitation inherent in SQL injection vulnerabilities makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.07% (20% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H9.9CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwindmill-labs/windmill
VendorWindmill Labs
Affected rangeFixed in
1.276.0 – 1.603.21.603.3
1.276.0 – 1.603.21.603.3
1.0.0 – 1.2.21.603.3

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-23696 is to immediately upgrade Windmill to version 1.603.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the folder ownership management functionality to only trusted users. Implement strict input validation on the 'owner' parameter to prevent SQL injection attempts. Monitor Windmill logs for suspicious SQL queries or unusual activity. Consider using a Web Application Firewall (WAF) with SQL injection protection rules to block malicious requests. After upgrading, confirm the fix by attempting to inject a simple SQL query through the folder ownership management functionality; it should be rejected.

How to fix

Update Windmill to version 1.603.3 or higher to mitigate the SQL injection vulnerability. This update corrects the improper file ownership handling, preventing arbitrary code execution via SQL injection in the folder ownership management functionality.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-23696 — RCE in Windmill Folder Ownership?

CVE-2026-23696 is a critical Remote Code Execution vulnerability in Windmill versions 1.0.0–1.603.3, allowing authenticated attackers to inject SQL and potentially execute arbitrary code.

Am I affected by CVE-2026-23696 in Windmill?

If you are running Windmill CE or EE versions 1.276.0 through 1.603.3, you are vulnerable to this RCE vulnerability.

How do I fix CVE-2026-23696 in Windmill?

Upgrade Windmill to version 1.603.3 or later to remediate the vulnerability. Implement temporary workarounds like input validation and access restrictions if immediate upgrade is not possible.

Is CVE-2026-23696 being actively exploited?

While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.

Where can I find the official Windmill advisory for CVE-2026-23696?

Refer to the official Windmill security advisory for detailed information and updates: [https://windmill.systems/security](https://windmill.systems/security)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs