Cyber Posture

CVE-2026-22683

High

Published: 07 April 2026

Published
07 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or…

more

modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly mandates enforcement of approved authorizations, addressing the missing API restrictions that allow Operators to create and modify workspace entities.

AC-6 Least Privilege good match
prevent

Enforces least privilege principle to restrict Operators from unauthorized entity creation, modification, and subsequent RCE via jobs API.

AC-24 Access Control Decisions partial match
prevent

Requires access control decisions to correctly deny Operator role actions on workspace endpoints per policy.

Security SummaryAI

CVE-2026-22683 is a missing authorization vulnerability (CWE-862) affecting Windmill versions 1.56.0 through 1.614.0. The flaw arises because the backend API fails to enforce restrictions on the Operator role for workspace endpoints, despite documentation stating that Operators cannot create or modify entities. This allows Operators to create and update scripts, flows, apps, and raw_apps. The vulnerability has existed since the Operator role's introduction in version 1.56.0 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with the Operator role can exploit this vulnerability over the network with low complexity and no user interaction. By leveraging the unenforced API endpoints, the attacker can create or modify arbitrary entities such as scripts and then execute them via the jobs API. This chain enables direct privilege escalation to remote code execution within the Windmill deployment.

Mitigation is available in Windmill version 1.615.0, as indicated by the project's release notes and a specific commit (c621a74804f4f6e8318819c01e3a23a17698588b) that addresses the authorization bypass. Security practitioners should upgrade to v1.615.0 or later and review Operator role assignments.

A public proof-of-concept exploit named Windfall is available on GitHub (Chocapikk/Windfall), with related details in a blog post detailing remote code execution via Windmill in the context of Nextcloud Flow.

Details

CWE(s)
CWE-862

Affected Products

nextcloud
flow
1.0.0 — 1.2.2
windmill
windmill
1.56.0 — 1.614.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Missing authorization in Windmill API enables low-privileged Operator role to create/update/execute scripts for RCE, directly facilitating exploitation of a public-facing application (T1190) and exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References