CVE-2026-23696 CRITICAL

CVE-2026-23696: Windmill < 1.603.3 File Ownership Handling SQLi RCE

Vendor Windmill Labs
Product Windmill CE (Community Edition)
Weakness CWE-89 · SQLi
Published April 7, 2026
Last update May 25, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
May 25, 2026 Record updated