OAuth Client Secrets Exposure in Windmill Developer Platform by Windmill Labs
CVE-2026-26964

2.7LOW

Key Information:

Vendor

Windmill-labs

Status
Windmill
Vendor
CVE Published:
19 February 2026

What is CVE-2026-26964?

A vulnerability in the Windmill Developer Platform allows non-admin users to access sensitive Slack OAuth client secrets through the GET /api/w/{workspace}/workspaces/get_settings endpoint. This should only be accessible to workspace administrators. Users can receive unredacted workspace settings, which should not include Slack configuration details. The issue arises from legacy storage practices where values were stored plainly, leading to their visibility to unauthorized users. This vulnerability has been addressed in version 1.635.0.

Affected Version(s)

windmill < 1.635.0

References

https://github.com/windmill-labs/windmill/security/adviso...
x_refsource_CONFIRM
https://github.com/windmill-labs/windmill/commit/43218c62...
x_refsource_MISC
https://github.com/windmill-labs/windmill/releases/tag/v1...
x_refsource_MISC

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.