CVE-2026-33881
Published: 27 March 2026
Summary
CVE-2026-33881 is a high-severity Code Injection (CWE-94) vulnerability in Windmill Windmill. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of workspace environment variable inputs to prevent code injection via unescaped single quotes in JavaScript string literals.
Mandates filtering of interpolated strings from environment variables to escape special characters like single quotes before insertion into NativeTS scripts.
Ensures timely identification, testing, and deployment of patches for the specific code injection flaw in Windmill's worker.rs as fixed in version 1.664.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection (CWE-94) in network-accessible Windmill platform enables arbitrary JavaScript execution inside NativeTS scripts via unsanitized env var interpolation; directly maps to T1190 (public-facing app exploitation) and T1059.007 (JavaScript interpreter abuse).
NVD Description
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom…
more
environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
Deeper analysisAI
CVE-2026-33881 is a code injection vulnerability (CWE-94) in Windmill, an open-source developer platform used for building internal code such as APIs, background jobs, workflows, and UIs. The issue arises in the NativeTS executor, where workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes. This flaw, located in worker.rs and unrelated to sandboxing or NSJAIL, allows injected code to execute in affected components. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A workspace administrator can exploit the vulnerability by setting a custom environment variable with a value containing a single quote (`'`), enabling injection of arbitrary JavaScript. This code executes inside every NativeTS script within that workspace, potentially compromising confidentiality, integrity, and availability through unauthorized access, data manipulation, or disruption.
Windmill version 1.664.0 addresses the issue with a patch. Additional details are available in the GitHub security advisory at https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q.
Details
- CWE(s)