CVE-2026-26964

Name of the Vulnerable Software and Affected Versions Windmill versions 1.634.6 and below

Description Windmill is a developer platform for internal code, including APIs, background jobs, workflows, and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The /api/w/{workspace}/workspaces/get settings API endpoint returns the slack oauth client secret to any authenticated workspace member, regardless of their admin status. The issue stems from a legacy implementation where the setting was stored as a plain value instead of using variable indirection, and it was not included in the redaction logic.

Recommendations Update to version 1.635.0 or later.