Platform
rust
Component
windmill
Fixed in
1.664.1
CVE-2026-33881 describes a code injection vulnerability affecting Windmill, an open-source developer platform. This flaw allows an attacker to inject malicious JavaScript into NativeTS scripts by crafting environment variable values containing single quotes. Versions of Windmill prior to 1.664.0 are vulnerable, and a patch has been released to address the issue.
The vulnerability lies in the NativeTS executor's handling of workspace environment variables. Specifically, the platform fails to properly escape single quotes when interpolating these variables into JavaScript string literals. A malicious workspace administrator could leverage this by setting an environment variable with a value containing a single quote followed by arbitrary JavaScript code. This injected code will then execute within every NativeTS script running in that workspace, granting the attacker significant control over the platform's behavior. The potential impact includes data exfiltration, unauthorized code execution, and complete compromise of the affected workspace.
This vulnerability was publicly disclosed on 2026-03-27. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the potential for significant impact and the lack of public exploits, the probability of exploitation is considered medium.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation is to upgrade Windmill to version 1.664.0 or later, which includes a fix for this vulnerability. If upgrading immediately is not feasible, consider restricting workspace administrator privileges to prevent malicious environment variable manipulation. Carefully review all environment variables set within workspaces for suspicious content. While a direct WAF rule is difficult to implement, monitoring for unusual JavaScript execution patterns within NativeTS scripts could provide an early warning sign of exploitation. After upgrading, confirm the fix by attempting to inject a single quote into an environment variable and verifying that the JavaScript is not executed.
Update Windmill to version 1.664.0 or higher. This version fixes the code injection vulnerability caused by unescaped workspace environment variable interpolation in the NativeTS executor. The update will prevent malicious administrators from injecting arbitrary JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33881 is a code injection vulnerability in Windmill versions up to 1.664.0. It allows attackers to inject JavaScript by manipulating workspace environment variables.
You are affected if you are using Windmill version 1.664.0 or earlier. Upgrade to 1.664.0 to mitigate the risk.
Upgrade Windmill to version 1.664.0 or later. Restrict workspace administrator privileges as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants caution.
Refer to the Windmill project's official release notes and security advisories for details: [https://windmill.systems/](https://windmill.systems/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.