CVE-2026-26964
Unauthorized Access to Slack OAuth Secrets in Windmill Platform
Publication date: 2026-02-20
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| windmill | windmill | to 1.635.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26964 is a vulnerability in the Windmill open-source developer platform (versions 1.634.6 and below) where non-admin users can access the Slack OAuth client secret through the API endpoint GET /api/w/{workspace}/workspaces/get_settings.
This secret should only be accessible to workspace administrators, but due to a legacy issue, the secret was returned in plaintext to any authenticated workspace member regardless of their admin status.
The problem arose because the Slack OAuth client secret was stored as a plain value and was not included in the redaction logic that normally hides sensitive settings from non-admin users.
The vulnerability was fixed in version 1.635.0 by modifying the API to strip the slack_oauth_client_secret from the response for non-admin users.
How can this vulnerability impact me? :
This vulnerability allows any authenticated non-admin workspace member to obtain the Slack OAuth client secret, which is sensitive information.
With this secret, an attacker could impersonate the Windmill Slack application or create phishing OAuth flows targeting workspace members.
However, the impact is somewhat limited because the workspace Slack bot has restricted permissions and cannot read arbitrary messages from channels or direct messages.
The vulnerability is classified as an exposure of sensitive information (CWE-200) and has a low severity CVSS score of 2.7.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the API endpoint GET /api/w/{workspace}/workspaces/get_settings returns the slack_oauth_client_secret field in plaintext to non-admin authenticated users.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform an authenticated API request as a non-admin user to the get_settings endpoint and inspect the JSON response for the presence of the slack_oauth_client_secret.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <non-admin-user-token>" https://<windmill-server>/api/w/<workspace>/workspaces/get_settings'}, {'type': 'paragraph', 'content': 'If the response JSON contains a non-null slack_oauth_client_secret value, the vulnerability is present.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Windmill to version 1.635.0 or later, where the vulnerability has been fixed.
In the fixed version, the slack_oauth_client_secret field is stripped (set to null) from the get_settings API response for non-admin users, preventing unauthorized access.
Until the upgrade can be performed, restrict access to the get_settings endpoint to only trusted admin users or monitor API usage closely to detect unauthorized access attempts.