CVE-2026-22683
Published: 07 April 2026
Summary
CVE-2026-22683 is a high-severity Missing Authorization (CWE-862) vulnerability in Nextcloud Flow. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations, addressing the missing API restrictions that allow Operators to create and modify workspace entities.
Enforces least privilege principle to restrict Operators from unauthorized entity creation, modification, and subsequent RCE via jobs API.
Requires access control decisions to correctly deny Operator role actions on workspace endpoints per policy.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in Windmill API enables low-privileged Operator role to create/update/execute scripts for RCE, directly facilitating exploitation of a public-facing application (T1190) and exploitation for privilege escalation (T1068).
NVD Description
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or…
more
modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Deeper analysisAI
CVE-2026-22683 is a missing authorization vulnerability (CWE-862) affecting Windmill versions 1.56.0 through 1.614.0. The flaw arises because the backend API fails to enforce restrictions on the Operator role for workspace endpoints, despite documentation stating that Operators cannot create or modify entities. This allows Operators to create and update scripts, flows, apps, and raw_apps. The vulnerability has existed since the Operator role's introduction in version 1.56.0 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated user with the Operator role can exploit this vulnerability over the network with low complexity and no user interaction. By leveraging the unenforced API endpoints, the attacker can create or modify arbitrary entities such as scripts and then execute them via the jobs API. This chain enables direct privilege escalation to remote code execution within the Windmill deployment.
Mitigation is available in Windmill version 1.615.0, as indicated by the project's release notes and a specific commit (c621a74804f4f6e8318819c01e3a23a17698588b) that addresses the authorization bypass. Security practitioners should upgrade to v1.615.0 or later and review Operator role assignments.
A public proof-of-concept exploit named Windfall is available on GitHub (Chocapikk/Windfall), with related details in a blog post detailing remote code execution via Windmill in the context of Nextcloud Flow.
Details
- CWE(s)