CVE-2026-33881
Published: 27 March 2026
Summary
CVE-2026-33881 is a high-severity Code Injection (CWE-94) vulnerability in Windmill Windmill. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-33881 is a code injection vulnerability (CWE-94) in Windmill, an open-source developer platform used for building internal code such as APIs, background jobs, workflows, and UIs. The issue arises in the NativeTS executor, where workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes. This flaw, located in worker.rs and unrelated to sandboxing or NSJAIL, allows injected code to execute in affected components. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A workspace administrator can exploit the vulnerability by setting a custom environment variable with a value containing a single quote (`'`), enabling injection of arbitrary JavaScript. This code executes inside every NativeTS script within that workspace, potentially compromising confidentiality, integrity, and availability through unauthorized access, data manipulation, or disruption.
Windmill version 1.664.0 addresses the issue with a patch. Additional details are available in the GitHub security advisory at https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16820
Vulnerability details
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom…
more
environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection (CWE-94) in network-accessible Windmill platform enables arbitrary JavaScript execution inside NativeTS scripts via unsanitized env var interpolation; directly maps to T1190 (public-facing app exploitation) and T1059.007 (JavaScript interpreter abuse).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of workspace environment variable inputs to prevent code injection via unescaped single quotes in JavaScript string literals.
Mandates filtering of interpolated strings from environment variables to escape special characters like single quotes before insertion into NativeTS scripts.
Ensures timely identification, testing, and deployment of patches for the specific code injection flaw in Windmill's worker.rs as fixed in version 1.664.0.