CVE-2026-22683

HIGH LAB

Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE

Title source: cna

Description

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.

References (6)

Scores

CVSS v3 8.8
EPSS 0.0035
EPSS Percentile 57.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull nextcloud/all-in-one:latest
docker pull ghcr.io/windmill-labs/windmill:1.394.4
docker pull ghcr.io/windmill-labs/windmill:1.603.2
docker pull curlimages/curl:latest

Details

CWE
CWE-862
Status published
Products (5)
Nextcloud/Flow 1.0.0 - 1.3.1
Windmill Labs/Windmill CE (Community Edition) 1.56.0 - 1.614.0
Windmill Labs/Windmill CE (Community Edition) 1.615.0
Windmill Labs/Windmill EE (Enterprise Edition) 1.56.0 - 1.614.0
Windmill Labs/Windmill EE (Enterprise Edition) 1.615.0
Published Apr 07, 2026
Tracked Since Apr 07, 2026