Platform
nodejs
Component
windmill-labs/windmill
Fixed in
1.603.3
1.603.3
1.603.3
CVE-2026-23696 is a critical Remote Code Execution (RCE) vulnerability discovered in Windmill CE and EE versions 1.276.0 through 1.603.2. This vulnerability allows authenticated attackers to inject malicious SQL code through the folder ownership management functionality. Successful exploitation could lead to the compromise of sensitive data and complete system takeover. The vulnerability is fixed in version 1.603.3.
The impact of CVE-2026-23696 is severe. An attacker exploiting this SQL injection vulnerability can read sensitive data, including the JWT signing secret used for authentication and administrative user identifiers. With access to the JWT signing secret, an attacker can forge administrative tokens, effectively impersonating an administrator. This allows them to execute arbitrary code via the workflow execution endpoints, granting them full control over the Windmill instance. The potential for data exfiltration, system modification, and denial of service is significant. This vulnerability shares similarities with other SQL injection attacks where sensitive credentials and configuration data are exposed, potentially leading to widespread compromise.
CVE-2026-23696 was publicly disclosed on 2026-04-07. The vulnerability's criticality (CVSS 9.9) and the potential for JWT secret compromise suggest a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the ease of exploitation inherent in SQL injection vulnerabilities makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23696 is to immediately upgrade Windmill to version 1.603.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the folder ownership management functionality to only trusted users. Implement strict input validation on the 'owner' parameter to prevent SQL injection attempts. Monitor Windmill logs for suspicious SQL queries or unusual activity. Consider using a Web Application Firewall (WAF) with SQL injection protection rules to block malicious requests. After upgrading, confirm the fix by attempting to inject a simple SQL query through the folder ownership management functionality; it should be rejected.
Update Windmill to version 1.603.3 or higher to mitigate the SQL injection vulnerability. This update corrects the improper file ownership handling, preventing arbitrary code execution via SQL injection in the folder ownership management functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23696 is a critical Remote Code Execution vulnerability in Windmill versions 1.0.0–1.603.3, allowing authenticated attackers to inject SQL and potentially execute arbitrary code.
If you are running Windmill CE or EE versions 1.276.0 through 1.603.3, you are vulnerable to this RCE vulnerability.
Upgrade Windmill to version 1.603.3 or later to remediate the vulnerability. Implement temporary workarounds like input validation and access restrictions if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the official Windmill security advisory for detailed information and updates: [https://windmill.systems/security](https://windmill.systems/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.