Cyber Resilience

CVE-2026-29059

Medium

Published: 06 March 2026

Published
06 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2331 96.1th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29059 is a medium-severity Path Traversal (CWE-22) vulnerability in Windmill Windmill. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Windmill, an open-source developer platform for APIs, background jobs, workflows, and UIs, contains an unauthenticated path traversal vulnerability in its get_log_file endpoint at /api/w/{workspace}/jobs_u/get_log_file/{filename}. Prior to version 1.603.3 the filename parameter was concatenated directly into a file path without sanitization, enabling ../ sequences to access arbitrary server files; the flaw is tracked as CWE-22 and carries a CVSS 4.0 score of 6.9.

An attacker with network access and no credentials can invoke the endpoint to retrieve sensitive files such as configuration data or source code stored on the Windmill server. Because the vulnerability requires no authentication or user interaction, exploitation can be performed remotely by any party that can reach the affected instance.

The issue is resolved in release 1.603.3, as noted in the project’s GitHub advisory GHSA-24fr-44f8-fqwg and corresponding tag. The current EPSS score of 0.2331 shows no material increase from its recorded peak, indicating stable rather than rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without…

more

sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated path traversal in public-facing Windmill endpoint directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33881Same product: Windmill Windmill
CVE-2026-22683Same product: Windmill Windmill
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22

Affected Assets

windmill
windmill
≤ 1.603.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the unsanitized filename parameter to block ../ sequences.

preventrecover

Requires timely identification, reporting, and patching of software flaws like the path traversal in the get_log_file endpoint, as demonstrated by the fix in version 1.603.3.

preventdetect

Addresses risks from the unauthenticated get_log_file endpoint by mandating risk assessments, protective controls such as input validation, and monitoring of permitted unauthenticated actions.

References