CVE-2026-29059

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/windmill-labs/windmill/releases/tag/v1.603.3	Release Notes
https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg	Vendor Advisory
https://github.com/Chocapikk/Windfall	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*

History

14 Apr 2026, 17:48

Type	Values Removed	Values Added
References	~~() https://github.com/windmill-labs/windmill/releases/tag/v1.603.3 -~~	() https://github.com/windmill-labs/windmill/releases/tag/v1.603.3 - Release Notes
References	~~() https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg -~~	() https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg - Vendor Advisory
References	~~() https://github.com/Chocapikk/Windfall -~~	() https://github.com/Chocapikk/Windfall - Product
First Time		Windmill Windmill windmill
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:windmill:windmill::::::::

07 Apr 2026, 14:16

Type	Values Removed	Values Added
References		() https://github.com/Chocapikk/Windfall -
Summary		(es) Windmill es una plataforma para desarrolladores de código abierto para código interno: APIs, trabajos en segundo plano, flujos de trabajo e interfaces de usuario. Antes de la versión 1.603.3, existe una vulnerabilidad de salto de ruta sin autenticación en el endpoint get_log_file de Windmill '(/api/w/{workspace}/jobs_u/get_log_file/{filename})'. El parámetro filename se concatena en una ruta de archivo sin saneamiento, permitiendo a un atacante leer archivos arbitrarios en el servidor usando secuencias ../. Este problema ha sido parcheado en la versión 1.603.3.

06 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 08:16

Updated : 2026-04-14 17:48

NVD link : CVE-2026-29059

Mitre link : CVE-2026-29059

CVE.ORG link : CVE-2026-29059

JSON object : View

Products Affected

windmill

windmill

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10