📄 Description (English)
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
🤖 AI Executive Summary
Windmill versions 1.56.0-1.614.0 contain a critical authorization bypass allowing Operator-role users to create and modify entities (scripts, flows, apps) they should not have access to, leading to privilege escalation and remote code execution. This vulnerability has persisted since the Operator role's introduction and affects all deployments using these versions. No patch is currently available, requiring immediate compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 16:39
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi organizations using Windmill for workflow automation, particularly in: (1) Banking sector (SAMA-regulated institutions) - risk of unauthorized script execution in payment processing systems; (2) Government agencies (NCA oversight) - potential compromise of administrative workflows and data access; (3) Energy sector (ARAMCO, utilities) - critical infrastructure automation at risk; (4) Telecom operators (STC, Mobily) - network automation and provisioning systems vulnerable; (5) Healthcare providers - patient data processing workflows compromised. The privilege escalation to RCE is particularly severe in air-gapped or sensitive environments.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
Manufacturing
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (Operator role abuse)
T1548 - Abuse Elevation Control Mechanism (privilege escalation)
T1190 - Exploit Public-Facing Application (API exploitation)
T1059 - Command and Scripting Interpreter (RCE via script execution)
T1021 - Remote Services (lateral movement via RCE)
T1098 - Account Manipulation (unauthorized entity creation)
T1552 - Unsecured Credentials (API access without proper authorization)
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Windmill deployments to identify versions 1.56.0-1.614.0
2. Review audit logs for Operator role API calls to workspace endpoints (script creation, flow creation, app creation, raw_app endpoints)
3. Identify and disable all Operator accounts not requiring active use
4. Implement network segmentation to restrict Windmill API access
COMPENSATING CONTROLS (until patch available):
1. Deploy API gateway/WAF rules to block Operator role requests to: /api/w/*/scripts, /api/w/*/flows, /api/w/*/apps, /api/w/*/raw_apps endpoints
2. Implement role-based API access controls at reverse proxy level
3. Enable comprehensive API logging and alerting for all workspace entity creation/modification attempts
4. Restrict job execution API access to authenticated Admin roles only
5. Monitor for suspicious script/flow creation patterns
DETECTION RULES:
- Alert on Operator role API calls to workspace entity creation endpoints
- Monitor for script execution by Operator-created entities
- Track privilege escalation attempts via jobs API
- Flag rapid entity creation/modification by Operator accounts
PATCHING:
- Await vendor patch release; do not upgrade to unverified versions
- When patch available, test in isolated environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع نشرات Windmill لتحديد الإصدارات 1.56.0-1.614.0
2. مراجعة سجلات التدقيق لاستدعاءات API لدور المشغل إلى نقاط نهاية مساحة العمل
3. تحديد وتعطيل جميع حسابات المشغل التي لا تتطلب استخدام نشط
4. تنفيذ تقسيم الشبكة لتقييد وصول API في Windmill
الضوابط التعويضية (حتى توفر التصحيح):
1. نشر قواعد بوابة API/WAF لحظر طلبات دور المشغل إلى نقاط النهاية
2. تنفيذ ضوابط وصول API قائمة على الأدوار على مستوى الوكيل العكسي
3. تفعيل تسجيل التنبيهات الشاملة لجميع محاولات إنشاء/تعديل كيانات مساحة العمل
4. تقييد وصول API تنفيذ الوظائف إلى أدوار المسؤول المصرح بها فقط
5. مراقبة أنماط إنشاء/تعديل البرامج النصية المريبة
قواعد الكشف:
- تنبيه على استدعاءات API لدور المشغل إلى نقاط نهاية إنشاء كيانات مساحة العمل
- مراقبة تنفيذ البرامج النصية بواسطة الكيانات التي أنشأها المشغل
- تتبع محاولات تصعيد الامتيازات عبر API الوظائف
- وضع علامة على الإنشاء/التعديل السريع للكيانات بواسطة حسابات المشغل
التصحيح:
- انتظر إصدار تصحيح البائع؛ لا تقم بالترقية إلى إصدارات غير تم التحقق منها
- عند توفر التصحيح، اختبر في بيئة معزولة قبل نشر الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access control policy and procedures
ECC 2024 A.9.2.1 - User registration and access rights management
ECC 2024 A.9.4.3 - Review of user access rights
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.4.1 - Event logging and monitoring
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy
SAMA CSF PR.AC-1 - Processes and procedures for access management
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.AE-1 - Audit and accountability mechanisms
SAMA CSF RS.MI-2 - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.9.2 - User access provisioning
ISO 27001:2022 A.9.4 - Access rights review
ISO 27001:2022 A.12.4 - Logging and monitoring
🟣 PCI DSS v4.0.1
PCI DSS 7.1 - Limit access to system components by business need-to-know
PCI DSS 7.2 - Establish an access control system
PCI DSS 8.2 - Ensure proper user identification and authentication
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://apps.nextcloud.com/apps/flow/releases
disclosure@vulncheck.com
https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
disclosure@vulncheck.com
https://github.com/Chocapikk/Windfall
disclosure@vulncheck.com
https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b
disclosure@vulncheck.com
https://github.com/windmill-labs/windmill/releases/tag/v1.615.0
disclosure@vulncheck.com
https://www.windmill.dev/
disclosure@vulncheck.com