VYPR
Low severity2.7NVD Advisory· Published Feb 20, 2026· Updated Apr 14, 2026

CVE-2026-26964

CVE-2026-26964

Description

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Windmill/Windmill2 versions
    cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*range: <1.635.0
    • (no CPE)range: <=1.634.6

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.