Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Title source: cnaDescription
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
References (6)
Core 6
Core References
Exploit technical-description
exploit
https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
Release Notes release-notes
https://github.com/windmill-labs/windmill/releases/tag/v1.615.0
Patch patch
https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b
Product product
https://www.windmill.dev/
Release Notes release-notes
https://apps.nextcloud.com/apps/flow/releases
Scores
CVSS v3
8.8
EPSS
0.0068
EPSS Percentile
47.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Lab Environment
COMMUNITY
SUSPICIOUS
Community Lab
Details
CWE
CWE-862
Status
published
Products (7)
nextcloud/flow
1.0.0 - 1.2.2
Nextcloud/Flow
1.0.0 - 1.3.1
windmill/windmill
1.56.0 - 1.614.0
Windmill Labs/Windmill CE (Community Edition)
1.56.0 - 1.614.0
Windmill Labs/Windmill CE (Community Edition)
1.615.0
Windmill Labs/Windmill EE (Enterprise Edition)
1.56.0 - 1.614.0
Windmill Labs/Windmill EE (Enterprise Edition)
1.615.0
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026