CVE-2026-47107

Name of the Vulnerable Software and Affected Versions Windmill versions prior to 1.703.2

Description Incorrect default permissions in nsjail sandbox configuration files allow the /etc directory to be bind-mounted without read-write restrictions. This enables authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt during script execution. Attackers can create persistent poisoned entries on worker pods to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM TOKEN JWTs to obtain workspace-admin access to victim workspaces across different tenants.

Recommendations Update to version 1.703.2.