Windmill < 1.603.3 File Ownership Handling SQLi RCE
Title source: cnaDescription
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
References (7)
Core 7
Core References
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce
Exploit technical-description
exploit
https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
Release Notes release-notes
https://github.com/windmill-labs/windmill/releases/tag/v1.603.3
Patch patch
https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe
Product product
https://www.windmill.dev/
Release Notes release-notes
https://apps.nextcloud.com/apps/flow/releases
Scores
CVSS v3
9.9
EPSS
0.0506
EPSS Percentile
91.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Lab Environment
COMMUNITY
SUSPICIOUS
Community Lab
Details
CWE
CWE-89
Status
published
Products (7)
Nextcloud/Flow
1.0.0 - 1.2.2
Nextcloud/Flow
1.3.0
Nextcloud/Flow
1.3.1
Windmill Labs/Windmill CE (Community Edition)
1.276.0 - 1.603.2
Windmill Labs/Windmill CE (Community Edition)
1.603.3
Windmill Labs/Windmill EE (Enterprise Edition)
1.276.0 - 1.603.2
Windmill Labs/Windmill EE (Enterprise Edition)
1.603.3
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026