anonhaven
Ad

CVE-2026-26964

LOW CVSS 3.1: 2.7 EPSS 0.06%
Updated Feb 20, 2026
Slack
Parameter Value
CVSS 2.7 (LOW)
Fixed In 1.635.0
Type CWE-200 (Information Exposure)
Vendor Slack
Public PoC No

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status.

It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic.

This issue has been fixed in version 1.635.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-200 Information Exposure

References 3

https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bf…
security-advisories@github.com
https://github.com/windmill-labs/windmill/releases/tag/v1.635.0
security-advisories@github.com
https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q8…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2025-12141

Slack

1.3

CVE-2026-5557

Slack

5.3

CVE-2026-34219

Slack

8.2

CVE-2026-32895

Openclaw

5.3

CVE-2026-28392

Slack

8.2