VYPR
Critical severity9.9NVD Advisory· Published Apr 7, 2026· Updated Apr 8, 2026

CVE-2026-23696

CVE-2026-23696

Description

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Windmill/Windmillreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: >=1.276.0, <=1.603.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.