{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22683", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-08T19:04:26.365Z", "datePublished": "2026-04-07T16:50:30.297Z", "dateUpdated": "2026-04-13T13:04:17.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T16:55:39.956Z"}, "title": "Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "Windmill Labs", "product": "Windmill CE (Community Edition)", "versions": [{"status": "affected", "version": "1.56.0", "lessThanOrEqual": "1.614.0", "versionType": "semver"}, {"status": "unaffected", "version": "1.615.0"}], "defaultStatus": "unaffected"}, {"vendor": "Windmill Labs", "product": "Windmill EE (Enterprise Edition)", "versions": [{"status": "affected", "version": "1.56.0", "lessThanOrEqual": "1.614.0", "versionType": "semver"}, {"status": "unaffected", "version": "1.615.0"}], "defaultStatus": "unaffected"}, {"vendor": "Nextcloud", "product": "Flow", "repo": "https://github.com/nextcloud/flow", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."}]}], "references": [{"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/Chocapikk/Windfall", "tags": ["exploit"]}, {"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0", "tags": ["release-notes"]}, {"url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b", "tags": ["patch"]}, {"url": "https://www.windmill.dev/", "tags": ["product"]}, {"url": "https://apps.nextcloud.com/apps/flow/releases", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Valentin Lobstein (Chocapikk)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22683", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T03:55:45.209485Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:04:17.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22683", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T03:55:45.209485Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:00:41.979Z"}}], "cna": {"title": "Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Windmill Labs", "product": "Windmill CE (Community Edition)", "versions": [{"status": "affected", "version": "1.56.0", "versionType": "semver", "lessThanOrEqual": "1.614.0"}, {"status": "unaffected", "version": "1.615.0"}], "defaultStatus": "unaffected"}, {"vendor": "Windmill Labs", "product": "Windmill EE (Enterprise Edition)", "versions": [{"status": "affected", "version": "1.56.0", "versionType": "semver", "lessThanOrEqual": "1.614.0"}, {"status": "unaffected", "version": "1.615.0"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/nextcloud/flow", "vendor": "Nextcloud", "product": "Flow", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/Chocapikk/Windfall", "tags": ["exploit"]}, {"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0", "tags": ["release-notes"]}, {"url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b", "tags": ["patch"]}, {"url": "https://www.windmill.dev/", "tags": ["product"]}, {"url": "https://apps.nextcloud.com/apps/flow/releases", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.", "supportingMedia": [{"type": "text/html", "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T16:55:39.956Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22683", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:04:17.928Z", "dateReserved": "2026-01-08T19:04:26.365Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-07T16:50:30.297Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "390C858F-42E9-41D5-AE97-11242088C2F0", "versionEndIncluding": "1.2.2", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC07ED1D-F0A4-4A59-AA24-52BF463E7D2D", "versionEndIncluding": "1.614.0", "versionStartIncluding": "1.56.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."}], "id": "CVE-2026-22683", "lastModified": "2026-04-24T16:49:50.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:27.037", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://apps.nextcloud.com/apps/flow/releases"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/Chocapikk/Windfall"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.windmill.dev/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Flow", "source": "cna", "vendor": "Nextcloud"}, "product": "flow", "vendor": "nextcloud"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.56.0,1.614.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.615.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Windmill CE (Community Edition)", "source": "cna", "vendor": "Windmill Labs"}, "product": "windmill", "vendor": "windmill-labs"}], "analysis": {"en": {"generated_at": "2026-04-07T22:44:35.176699+00:00", "value": {"mitigation_remediation": ["Upgrade Windmill to version 1.615.0 or later to remove the missing authorization check.", "If an upgrade is not immediately possible, restrict network access to the Windmill backend API or place it behind a firewall to limit exposure to trusted hosts.", "Alternatively, remove or downgrade Operator role permissions so operators cannot create or modify scripts, flows, or apps.", "Verify that no custom plugins or API calls remain that might provide the same privileges."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Windmill releases from version 1.56.0 up to, but not including, 1.615.0 are affected.\nThis includes the Windmill Community Edition (CE) and Enterprise Edition (EE) from Windmill Labs, as well as the Flow component of Nextcloud.\nThe issue is resolved in release 1.615.0 and later versions.\nAll deployments running a version in the vulnerable range should be upgraded or otherwise mitigated.", "description_and_impact": "The vulnerability is a missing authorization check that allows users with the Operator role to create and modify entities such as scripts, flows, apps, and raw_app objects through the backend API.\nOperators are documented and priced as unable to perform those actions, yet the API enforces the restriction only on selected endpoints, leaving operators able to add or update scripts.\nBecause operators can execute scripts via the jobs API, the flaw permits an attacker to gain full code execution on the Windmill deployment.\nThis results in complete compromise of confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The flaw rates a CVSS score of 8.7, indicating a high severity vulnerability.\nWhile an EPSS score is not published, the flaw's existence for over a year and its wide applicability to multiple Windmill CMS installations suggest a significant likelihood of exploitation.\nThe attack requires only authenticated access as a user with the Operator role, which may be granted to non\u2011privileged users.\nAttackers can exploit the vulnerability over the network by sending crafted API requests to the windmill backend, resulting in remote code execution.\nThe vulnerability is not yet listed in the CISA KEV catalog, but the high CVSS and direct RCE potential warrant immediate remediation."}}}}, "created": "2026-04-08T19:36:36.058661+00:00", "updated": "2026-04-08T19:47:39.276335+00:00", "vendors": ["nextcloud", "nextcloud$PRODUCT$flow", "windmill-labs", "windmill-labs$PRODUCT$windmill"]}