Authorization Bypass in Windmill Allows Unauthorized Modifications
CVE-2026-22683

8.7HIGH

Key Information:

Vendor

Windmill Labs

Status
Windmill Ce (community Edition)
Windmill Ee (enterprise Edition)
Flow
Vendor
CVE Published:
7 April 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-22683?

A critical authorization bypass vulnerability exists in Windmill, versions 1.56.0 through 1.614.0, allowing users with the Operator role to perform actions that should be restricted, such as entity creation and modification via the backend API. Although Operators are intended to lack permission for such actions, the API fails to enforce these controls on workspace endpoints. This oversight can lead to privilege escalation, enabling Operators to create and modify scripts, flows, and apps, as well as potentially execute scripts through the jobs API, which poses a serious risk of remote code execution. This flaw has been present since the introduction of the Operator role.

Affected Version(s)

Flow 1.0.0 <= 1.3.1

Windmill CE (Community Edition) 1.56.0 <= 1.614.0

Windmill EE (Enterprise Edition) 1.56.0 <= 1.614.0

References

https://chocapikk.com/posts/2026/windfall-nextcloud-flow-...
technical-descriptionexploit
https://github.com/Chocapikk/Windfall
exploit
https://github.com/windmill-labs/windmill/releases/tag/v1...
release-notes

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
.