Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Windmill API allows unauthorized access to server files
CVE-2026-29059
Summary
An attacker can read arbitrary files on the Windmill server without authentication, potentially exposing sensitive data. This issue affects Windmill versions prior to 1.603.3. Update to version 1.603.3 or later to fix the vulnerability.
Original title
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmi...
Original description
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.
nvd CVSS4.0
6.9
Vulnerability type
CWE-22
Path Traversal
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026