Windmill 1.603.2 SQLi in Folder Ownership via owner Param
CVE-2026-23696 Published on April 7, 2026
Windmill < 1.603.3 File Ownership Handling SQLi RCE
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Vulnerability Analysis
CVE-2026-23696 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-23696. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2026-23696 has been classified to as a SQL Injection vulnerability or weakness.
Affected Versions
Windmill Labs Windmill CE (Community Edition):- Version 1.276.0, <= 1.603.2 is affected.
- Version 1.603.3 is unaffected.
- Version 1.276.0, <= 1.603.2 is affected.
- Version 1.603.3 is unaffected.
- Version 1.0.0, <= 1.2.2 is affected.
- Version 1.3.0 is unaffected.
- Version 1.3.1 is unaffected.