{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26964", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.612Z", "datePublished": "2026-02-19T23:57:30.237Z", "dateUpdated": "2026-02-20T15:36:28.646Z"}, "containers": {"cna": {"title": "Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w"}, {"name": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82", "tags": ["x_refsource_MISC"], "url": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82"}, {"name": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0"}], "affected": [{"vendor": "windmill-labs", "product": "windmill", "versions": [{"version": "< 1.635.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:57:30.237Z"}, "descriptions": [{"lang": "en", "value": "Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0."}], "source": {"advisory": "GHSA-f27g-j463-q85w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:26:42.889549Z", "id": "CVE-2026-26964", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:36:28.646Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26964", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:26:42.889549Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:26:44.452Z"}}], "cna": {"title": "Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members", "source": {"advisory": "GHSA-f27g-j463-q85w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "windmill-labs", "product": "windmill", "versions": [{"status": "affected", "version": "< 1.635.0"}]}], "references": [{"url": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w", "name": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82", "name": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0", "name": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:57:30.237Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26964", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:36:28.646Z", "dateReserved": "2026-02-16T22:20:28.612Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T23:57:30.237Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFD14609-DFAB-4B7A-98CD-B4537FF97C5B", "versionEndExcluding": "1.635.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0."}, {"lang": "es", "value": "Windmill es una plataforma de desarrollo de c\u00f3digo abierto para c\u00f3digo interno: APIs, trabajos en segundo plano, flujos de trabajo e interfaces de usuario. Las versiones 1.634.6 y anteriores permiten a los usuarios no administradores obtener secretos de cliente de Slack OAuth, que solo deber\u00edan ser accesibles para los administradores del espacio de trabajo. El endpoint GET /api/w/{workspace}/workspaces/get_settings devuelve el slack_oauth_client_secret a cualquier miembro autenticado del espacio de trabajo, independientemente de su estado de administrador. Es un comportamiento esperado que los usuarios no administradores vean una versi\u00f3n redactada de la configuraci\u00f3n del espacio de trabajo, ya que algunos de ellos son necesarios para que el frontend se comporte correctamente incluso para los no administradores. Sin embargo, la configuraci\u00f3n de Slack no deber\u00eda ser visible para los no administradores. Este es un problema heredado donde la configuraci\u00f3n se almacenaba como un valor sin formato en lugar de usar la indirecci\u00f3n de $variable, y nunca se a\u00f1adi\u00f3 a la l\u00f3gica de redacci\u00f3n. Este problema ha sido solucionado en la versi\u00f3n 1.635.0."}], "id": "CVE-2026-26964", "lastModified": "2026-04-14T00:50:19.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T00:16:16.330", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.635.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "windmill", "source": "cna", "vendor": "windmill-labs"}, "product": "windmill", "vendor": "windmill-labs"}], "analysis": {"en": {"generated_at": "2026-04-17T17:41:14.572447+00:00", "value": {"mitigation_remediation": ["Upgrade Windmill to version 1.635.0 or later, which removes the secret from the API response.", "If an upgrade is not immediately possible, restrict API access to the /api/w/{workspace}/workspaces/get_settings endpoint so that only administrators can call it, using role\u2011based access control or API rate limiting.", "After remediation, rotate the Slack OAuth client secret to eliminate the risk of any previously exposed credentials being reused."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to Slack OAuth client secrets"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Windmill open\u2011source platform versions 1.634.6 and earlier, affecting all deployments of that codebase. Users of Windmill version 1.635.0 and later are not impacted.", "description_and_impact": "Windmill\u2019s API endpoint for workspace settings transparently returns the Slack OAuth client secret to any authenticated workspace member, regardless of administrative privileges. This disclosure of a private credential directly violates confidentiality principles and, if leveraged, can allow an attacker to impersonate the workspace\u2019s Slack integration or abuse API access. The flaw is rooted in improper handling of sensitive data within the platform, categorized as CWE\u2011200.", "risk_and_exploitability": "With a CVSS score of 2.7 and an EPSS below 1\u202f%, the risk level is low from a purely statistical perspective, and the issue is not listed in CISA\u2019s KEV catalog. Nonetheless, the attack vector is straightforward: any non\u2011admin workspace user who can authenticate to the API can request the endpoint and obtain the secret. This capability is feasible with unlimited objects\u2011oriented user accounts within a workspace, meaning an internal threat actor has a clear path to compromise the Slack integration."}}}}, "created": "2026-02-20T09:53:16.338662+00:00", "updated": "2026-04-17T17:45:24.347514+00:00", "vendors": ["windmill-labs", "windmill-labs$PRODUCT$windmill"]}