CVE-2026-23696

Name of the Vulnerable Software and Affected Versions Windmill CE and EE versions 1.276.0 through 1.603.2

Description Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality. Authenticated attackers can inject SQL through the owner parameter. This injection allows attackers to read sensitive data, such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.

Recommendations Windmill CE and EE versions 1.276.0 through 1.603.2 should be updated to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the folder ownership management functionality.