Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29059 is a high-severity vulnerability in Windmill versions prior to 1.603.3. It is an unauthenticated path traversal flaw in the get_log_file API endpoint, where the filename parameter is not sanitized and directly concatenated into a file path. This allows an attacker to use "../" sequences to read arbitrary files on the server.'}, {'type': 'paragraph', 'content': 'The most critical risk is exposure of the SUPERADMIN_SECRET environment variable, which acts as a Bearer token granting superadmin authentication and enables arbitrary code execution through the job preview API. However, this secret is rarely configured by default and mainly used in embedded Windmill instances, such as those embedded within Nextcloud Flow.'}, {'type': 'paragraph', 'content': 'In Nextcloud Flow deployments, admin credentials are also stored in a predictable configuration file, which can be accessed via this vulnerability, potentially leading to full system compromise.'}, {'type': 'paragraph', 'content': 'For standalone Windmill instances without SUPERADMIN_SECRET configured, the vulnerability is limited to arbitrary file reading. The issue was fixed in version 1.603.3 by sanitizing the filename parameter to prevent directory traversal.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files on the server without authentication.

If the SUPERADMIN_SECRET environment variable is set, an attacker can gain superadmin authentication, enabling arbitrary code execution and full control over the system.

In deployments like Nextcloud Flow where Windmill is embedded, attackers can also access admin credentials stored in predictable configuration files, leading to full system compromise.

For standalone Windmill instances without SUPERADMIN_SECRET configured, the impact is limited to unauthorized file disclosure.

Users of Windmill Cloud and enterprise instances have been updated to the patched version, but self-hosted users are strongly advised to upgrade to version 1.603.3 or later to mitigate these risks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable API endpoint with path traversal sequences in the filename parameter to see if arbitrary files can be read without authentication.'}, {'type': 'paragraph', 'content': 'For example, you can use curl commands to test the endpoint for directory traversal:'}, {'type': 'list_item', 'content': 'curl -v "http://<windmill-server>/api/w/<workspace>/jobs_u/get_log_file/../../../../etc/passwd"'}, {'type': 'list_item', 'content': 'curl -v "http://<windmill-server>/api/w/<workspace>/jobs_u/get_log_file/../proc/1/environ"'}, {'type': 'paragraph', 'content': 'If these commands return file contents such as /etc/passwd or environment variables, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Windmill to version 1.603.3 or later, where the vulnerability has been patched by sanitizing the filename parameter to prevent directory traversal.

For self-hosted instances, applying this update is strongly advised.

Additionally, if using Windmill embedded within Nextcloud Flow, it is recommended to transition to the new native trigger integration to decouple Windmill and allow independent updates.

Useful 0 Not Useful 0