プラットフォーム
rust
コンポーネント
windmill
修正版
1.664.1
CVE-2026-33881 describes a code injection vulnerability affecting Windmill, an open-source developer platform. This flaw allows an attacker to inject malicious JavaScript into NativeTS scripts by crafting environment variable values containing single quotes. Versions of Windmill prior to 1.664.0 are vulnerable, and a patch has been released to address the issue.
The vulnerability lies in the NativeTS executor's handling of workspace environment variables. Specifically, the platform fails to properly escape single quotes when interpolating these variables into JavaScript string literals. A malicious workspace administrator could leverage this by setting an environment variable with a value containing a single quote followed by arbitrary JavaScript code. This injected code will then execute within every NativeTS script running in that workspace, granting the attacker significant control over the platform's behavior. The potential impact includes data exfiltration, unauthorized code execution, and complete compromise of the affected workspace.
This vulnerability was publicly disclosed on 2026-03-27. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the potential for significant impact and the lack of public exploits, the probability of exploitation is considered medium.
Organizations utilizing Windmill for internal development, particularly those with multiple workspace administrators or shared workspace environments, are at risk. Legacy Windmill deployments and those with relaxed environment variable security policies are especially vulnerable.
• rust / platform: Examine workspace environment variables for suspicious characters or code.
find . -name '*.env' -print0 | xargs -0 grep -E "['].*['" • rust / platform: Monitor NativeTS script execution logs for unexpected JavaScript code or errors. • generic web: Inspect Windmill workspace configurations for unusual environment variable settings. • generic web: Review Windmill access logs for attempts to manipulate environment variables.
disclosure
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
The primary mitigation is to upgrade Windmill to version 1.664.0 or later, which includes a fix for this vulnerability. If upgrading immediately is not feasible, consider restricting workspace administrator privileges to prevent malicious environment variable manipulation. Carefully review all environment variables set within workspaces for suspicious content. While a direct WAF rule is difficult to implement, monitoring for unusual JavaScript execution patterns within NativeTS scripts could provide an early warning sign of exploitation. After upgrading, confirm the fix by attempting to inject a single quote into an environment variable and verifying that the JavaScript is not executed.
Windmillをバージョン1.664.0以降にアップデートしてください。このバージョンは、NativeTS executorにおけるワークスペース環境変数のエスケープ処理なしの挿入によって引き起こされるコードインジェクションの脆弱性を修正しています。アップデートすることで、悪意のある管理者が任意のJavaScriptコードを挿入することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33881 is a code injection vulnerability in Windmill versions up to 1.664.0. It allows attackers to inject JavaScript by manipulating workspace environment variables.
You are affected if you are using Windmill version 1.664.0 or earlier. Upgrade to 1.664.0 to mitigate the risk.
Upgrade Windmill to version 1.664.0 or later. Restrict workspace administrator privileges as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants caution.
Refer to the Windmill project's official release notes and security advisories for details: [https://windmill.systems/](https://windmill.systems/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
Cargo.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。