CVE-2026-29059
Published: 06 March 2026
Summary
CVE-2026-29059 is a medium-severity Path Traversal (CWE-22) vulnerability in Windmill Windmill. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Windmill, an open-source developer platform for APIs, background jobs, workflows, and UIs, contains an unauthenticated path traversal vulnerability in its get_log_file endpoint at /api/w/{workspace}/jobs_u/get_log_file/{filename}. Prior to version 1.603.3 the filename parameter was concatenated directly into a file path without sanitization, enabling ../ sequences to access arbitrary server files; the flaw is tracked as CWE-22 and carries a CVSS 4.0 score of 6.9.
An attacker with network access and no credentials can invoke the endpoint to retrieve sensitive files such as configuration data or source code stored on the Windmill server. Because the vulnerability requires no authentication or user interaction, exploitation can be performed remotely by any party that can reach the affected instance.
The issue is resolved in release 1.603.3, as noted in the project’s GitHub advisory GHSA-24fr-44f8-fqwg and corresponding tag. The current EPSS score of 0.2331 shows no material increase from its recorded peak, indicating stable rather than rising exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10017
Vulnerability details
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without…
more
sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated path traversal in public-facing Windmill endpoint directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the unsanitized filename parameter to block ../ sequences.
Requires timely identification, reporting, and patching of software flaws like the path traversal in the get_log_file endpoint, as demonstrated by the fix in version 1.603.3.
Addresses risks from the unauthenticated get_log_file endpoint by mandating risk assessments, protective controls such as input validation, and monitoring of permitted unauthenticated actions.