CVE-2026-29059

HIGH NUCLEI LAB

Windmill < 1.603.3 - Unauthenticated Path Traversal via Get Log File Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-29059. PoCs published by Chocapikk. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a sophisticated exploit framework for CVE-2026-29059, targeting unauthenticated path traversal in Windmill and Nextcloud Flow, leading to credential leaks and remote code execution. The exploit includes Metasploit modules, Docker labs for testing, and detailed documentation.

Description

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.

Exploits (1)

nomisec WORKING POC 1 stars

by Chocapikk · poc

https://github.com/Chocapikk/Windfall

View Code ZIP pw:eip

This repository contains a sophisticated exploit framework for CVE-2026-29059, targeting unauthenticated path traversal in Windmill and Nextcloud Flow, leading to credential leaks and remote code execution. The exploit includes Metasploit modules, Docker labs for testing, and detailed documentation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Windmill v1.309.0–v1.603.2, Nextcloud Flow v1.0.0–v1.2.2

No auth needed

Prerequisites: Network access to vulnerable endpoint · Docker socket access (for host escape)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Windmill/Nextcloud Flow < 1.603.3 - Unauthenticated Path Traversal

CRITICALVERIFIEDby 0x_Akoko

Shodan: http.html:"Windmill" http.html:"svelte-global-loader"

FOFA: app="Windmill"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg

Release Notes x_refsource_misc

https://github.com/windmill-labs/windmill/releases/tag/v1.603.3

Various Sources

https://github.com/Chocapikk/Windfall

Scores

CVSS v3 7.5

EPSS 0.2331

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

docker pull nextcloud/all-in-one:latest

docker pull ghcr.io/windmill-labs/windmill:1.394.4

docker pull ghcr.io/windmill-labs/windmill:1.603.2

docker pull curlimages/curl:latest

https://github.com/Chocapikk/Windfall

View in Library

Details

CWE

CWE-22

Status published

Products (2)

windmill/windmill < 1.603.3

windmill-labs/windmill < 1.603.3

Published Mar 06, 2026

Tracked Since Mar 06, 2026