Windmill < 1.603.3 File Ownership Handling SQLi RCE

Advisories

severity: critical
date: 4/7/2026
Affecting: Windmill CE (Community & Enterprise Editions) v1.276.0 < 1.603.3
Nextcloud Flow v1.0.0 <= 1.2.2
CVE: CVE-2026-23696
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 9.4
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References: Chocapikk Researcher Blog
Python Toolkit & Labs
Windmill Release Notes
Windmill Patch Commit
Windmill Webpage
Nextcloud Downloads
Credit: Valentin Lobstein (Chocapikk)
Description: Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo