CVE-2026-22683

Name of the Vulnerable Software and Affected Versions Windmill versions 1.56.0 through 1.614.0

Description Windmill versions 1.56.0 through 1.614.0 have a missing authorization vulnerability. Users with the Operator role can perform prohibited entity creation and modification actions via the backend API. The API does not enforce the Operator restriction on workspace endpoints, allowing Operators to create and update scripts, flows, apps, and raw apps. Operators can also execute scripts via the jobs API, potentially leading to remote code execution within the Windmill deployment.

Recommendations Update Windmill to a version later than 1.614.0.