CVE-2026-29059

Name of the Vulnerable Software and Affected Versions Windmill versions prior to 1.603.3

Description Windmill is a developer platform for internal code, including APIs, background jobs, workflows, and UIs. A path traversal vulnerability exists in the get log file API endpoint ('/api/w/{workspace}/jobs u/get log file/{filename}') prior to version 1.603.3. The filename parameter is improperly concatenated into a file path without sufficient sanitization. This allows an attacker to read arbitrary files on the server by utilizing '../' sequences. Exploitation does not require authentication. The vulnerability allows access to sensitive information, including potential credential leaks and root shell access.

Recommendations Update Windmill to version 1.603.3 or later.