CVE-2026-26964 (GCVE-0-2026-26964)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:57 – Updated: 2026-02-20 15:36
VLAI?
Title
Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members
Summary
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6
and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| windmill-labs | windmill |
Affected:
< 1.635.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:26:42.889549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:36:28.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "windmill",
"vendor": "windmill-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.635.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:57:30.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w"
},
{
"name": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82"
},
{
"name": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.635.0"
}
],
"source": {
"advisory": "GHSA-f27g-j463-q85w",
"discovery": "UNKNOWN"
},
"title": "Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26964",
"datePublished": "2026-02-19T23:57:30.237Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-02-20T15:36:28.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-26964",
"date": "2026-04-17",
"epss": "0.00059",
"percentile": "0.18513"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26964\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T00:16:16.330\",\"lastModified\":\"2026-04-14T00:50:19.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.\"},{\"lang\":\"es\",\"value\":\"Windmill es una plataforma de desarrollo de c\u00f3digo abierto para c\u00f3digo interno: APIs, trabajos en segundo plano, flujos de trabajo e interfaces de usuario. Las versiones 1.634.6 y anteriores permiten a los usuarios no administradores obtener secretos de cliente de Slack OAuth, que solo deber\u00edan ser accesibles para los administradores del espacio de trabajo. El endpoint GET /api/w/{workspace}/workspaces/get_settings devuelve el slack_oauth_client_secret a cualquier miembro autenticado del espacio de trabajo, independientemente de su estado de administrador. Es un comportamiento esperado que los usuarios no administradores vean una versi\u00f3n redactada de la configuraci\u00f3n del espacio de trabajo, ya que algunos de ellos son necesarios para que el frontend se comporte correctamente incluso para los no administradores. Sin embargo, la configuraci\u00f3n de Slack no deber\u00eda ser visible para los no administradores. Este es un problema heredado donde la configuraci\u00f3n se almacenaba como un valor sin formato en lugar de usar la indirecci\u00f3n de $variable, y nunca se a\u00f1adi\u00f3 a la l\u00f3gica de redacci\u00f3n. Este problema ha sido solucionado en la versi\u00f3n 1.635.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:windmill:windmill:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.635.0\",\"matchCriteriaId\":\"DFD14609-DFAB-4B7A-98CD-B4537FF97C5B\"}]}]}],\"references\":[{\"url\":\"https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/windmill-labs/windmill/releases/tag/v1.635.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26964\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:26:42.889549Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:26:44.452Z\"}}], \"cna\": {\"title\": \"Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members\", \"source\": {\"advisory\": \"GHSA-f27g-j463-q85w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"windmill-labs\", \"product\": \"windmill\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.635.0\"}]}], \"references\": [{\"url\": \"https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w\", \"name\": \"https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82\", \"name\": \"https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/windmill-labs/windmill/releases/tag/v1.635.0\", \"name\": \"https://github.com/windmill-labs/windmill/releases/tag/v1.635.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6\\n and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-19T23:57:30.237Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26964\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:36:28.646Z\", \"dateReserved\": \"2026-02-16T22:20:28.612Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-19T23:57:30.237Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…