CVE-2026-29059 Windmill — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.9 (MEDIUM)
Fixed In	1.603.3
Type	CWE-22 (Path Traversal (Обход пути))
Vendor	Windmill
Public PoC	No

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences.

This issue has been patched in version 1.603.3.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

None

Нет дополнительных условий

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

Low

Частичная утечка данных

Integrity

None

Нет модификации данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-22 Path Traversal (Обход пути)

References 2

https://github.com/windmill-labs/windmill/releases/tag/v1.603.3

security-advisories@github.com

https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fq…

security-advisories@github.com

Menu

CVE-2026-29059

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice