CVE-2026-29059

Name of the Vulnerable Software and Affected Versions Windmill versions prior to 1.603.3

Description Windmill is an open-source developer platform for internal code, including APIs, background jobs, workflows, and UIs. A path traversal vulnerability exists in the get log file endpoint ('/api/w/{workspace}/jobs u/get log file/{filename}') prior to version 1.603.3. The filename parameter is improperly concatenated into a file path without sufficient sanitization, potentially allowing an attacker to read arbitrary files on the server using '..' sequences. This could lead to the exposure of sensitive information, including the SUPERADMIN SECRET in some cases. Exploitation requires no authentication.

Recommendations Update Windmill to version 1.603.3 or later.