CVE-2026-26964

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82	Patch
https://github.com/windmill-labs/windmill/releases/tag/v1.635.0	Product Release Notes
https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*

History

14 Apr 2026, 00:50

Type	Values Removed	Values Added
Summary		(es) Windmill es una plataforma de desarrollo de código abierto para código interno: APIs, trabajos en segundo plano, flujos de trabajo e interfaces de usuario. Las versiones 1.634.6 y anteriores permiten a los usuarios no administradores obtener secretos de cliente de Slack OAuth, que solo deberían ser accesibles para los administradores del espacio de trabajo. El endpoint GET /api/w/{workspace}/workspaces/get_settings devuelve el slack_oauth_client_secret a cualquier miembro autenticado del espacio de trabajo, independientemente de su estado de administrador. Es un comportamiento esperado que los usuarios no administradores vean una versión redactada de la configuración del espacio de trabajo, ya que algunos de ellos son necesarios para que el frontend se comporte correctamente incluso para los no administradores. Sin embargo, la configuración de Slack no debería ser visible para los no administradores. Este es un problema heredado donde la configuración se almacenaba como un valor sin formato en lugar de usar la indirección de $variable, y nunca se añadió a la lógica de redacción. Este problema ha sido solucionado en la versión 1.635.0.
References	~~() https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82 -~~	() https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82 - Patch
References	~~() https://github.com/windmill-labs/windmill/releases/tag/v1.635.0 -~~	() https://github.com/windmill-labs/windmill/releases/tag/v1.635.0 - Product, Release Notes
References	~~() https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w -~~	() https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w - Exploit, Vendor Advisory
First Time		Windmill Windmill windmill
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:windmill:windmill::::::::

20 Feb 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-20 00:16

Updated : 2026-04-14 00:50

NVD link : CVE-2026-26964

Mitre link : CVE-2026-26964

CVE.ORG link : CVE-2026-26964

JSON object : View

Products Affected

windmill

windmill

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

2.7 /10