CVE-2026-26964

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-26964
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26964.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26964
Aliases
  • GHSA-f27g-j463-q85w
Published
2026-02-19T23:57:30.237Z
Modified
2026-03-03T02:56:19.322936Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members
Details

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/getsettings endpoint returns the slackoauthclientsecret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26964.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/windmill-labs/windmill

Affected ranges

Type
GIT
Repo
https://github.com/windmill-labs/windmill
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d9a5cb64b8d3f14f6eb26e1fc6e97faa3ec63112

Affected versions

1.*
1.422.3
1.462.2
1.462.3
1.462.4
1.463.4
1.463.5
v1.*
v1.417.0
v1.417.1
v1.417.2
v1.417.3
v1.418.0
v1.419.0
v1.420.0
v1.420.1
v1.421.0
v1.421.1
v1.421.2
v1.422.0
v1.422.1
v1.423.0
v1.423.1
v1.423.2
v1.424.0
v1.425.0
v1.425.1
v1.426.0
v1.426.1
v1.427.0
v1.428.0
v1.428.1
v1.429.0
v1.430.0
v1.430.1
v1.430.2
v1.431.0
v1.431.1
v1.432.0
v1.433.0
v1.434.0
v1.434.1
v1.434.2
v1.435.0
v1.435.1
v1.435.2
v1.436.0
v1.437.0
v1.437.1
v1.438.0
v1.439.0
v1.440.0
v1.440.1
v1.440.2
v1.440.3
v1.441.0
v1.441.1
v1.441.2
v1.442.0
v1.443.0
v1.444.0
v1.445.0
v1.445.1
v1.446.0
v1.447.0
v1.447.1
v1.447.2
v1.447.3
v1.447.4
v1.447.5
v1.447.6
v1.448.0
v1.448.1
v1.449.0
v1.449.1
v1.449.2
v1.449.3
v1.450.0
v1.450.1
v1.451.0
v1.452.0
v1.452.1
v1.453.0
v1.453.1
v1.454.0
v1.454.1
v1.455.0
v1.455.1
v1.455.2
v1.456.0
v1.457.0
v1.457.1
v1.458.0
v1.458.1
v1.458.2
v1.458.3
v1.458.4
v1.459.0
v1.460.0
v1.460.1
v1.461.0
v1.461.1
v1.462.0
v1.462.1
v1.463.0
v1.463.1
v1.463.2
v1.463.3
v1.463.5
v1.463.6
v1.464.0
v1.465.0
v1.466.0
v1.466.1
v1.466.2
v1.466.3
v1.467.0
v1.467.1
v1.468.0
v1.469.0
v1.470.0
v1.470.1
v1.471.0
v1.471.1
v1.472.0
v1.472.1
v1.473.0
v1.473.1
v1.474.0
v1.475.0
v1.475.1
v1.476.0
v1.477.0
v1.477.1
v1.478.0
v1.478.1
v1.479.0
v1.479.1
v1.479.2
v1.479.3
v1.480.0
v1.480.1
v1.481.0
v1.482.0
v1.482.1
v1.483.0
v1.483.1
v1.483.2
v1.484.0
v1.485.0
v1.485.1
v1.485.2
v1.485.3
v1.486.0
v1.486.1
v1.487.0
v1.488.0
v1.489.0
v1.490.0
v1.491.0
v1.491.1
v1.491.2
v1.491.3
v1.491.4
v1.491.5
v1.492.0
v1.492.1
v1.493.0
v1.493.1
v1.493.2
v1.493.3
v1.493.4
v1.494.0
v1.495.0
v1.495.1
v1.496.0
v1.496.1
v1.496.2
v1.496.3
v1.497.0
v1.497.1
v1.497.2
v1.498.0
v1.499.0
v1.500.0
v1.500.1
v1.500.2
v1.500.3
v1.501.0
v1.501.1
v1.501.2
v1.501.3
v1.501.4
v1.502.0
v1.502.1
v1.502.2
v1.503.0
v1.503.1
v1.503.2
v1.503.3
v1.504.0
v1.505.0
v1.505.1
v1.505.2
v1.505.3
v1.505.4
v1.506.0
v1.507.0
v1.507.1
v1.507.2
v1.508.0
v1.509.0
v1.509.1
v1.509.2
v1.510.0
v1.510.1
v1.511.0
v1.512.0
v1.513.0
v1.513.1
v1.514.0
v1.514.1
v1.515.0
v1.515.1
v1.516.0
v1.517.0
v1.518.0
v1.518.1
v1.518.2
v1.519.0
v1.519.1
v1.519.2
v1.520.0
v1.520.1
v1.521.0
v1.522.0
v1.522.1
v1.523.0
v1.524.0
v1.525.0
v1.526.0
v1.526.1
v1.527.0
v1.527.1
v1.528.0
v1.529.0
v1.530.0
v1.531.0
v1.532.0
v1.533.0
v1.533.1
v1.534.0
v1.534.1
v1.535.0
v1.536.0
v1.537.0
v1.537.1
v1.538.0
v1.539.0
v1.539.1
v1.540.0
v1.540.1
v1.540.2
v1.541.0
v1.541.1
v1.542.0
v1.542.1
v1.542.2
v1.542.3
v1.542.4
v1.543.0
v1.544.0
v1.544.1
v1.544.2
v1.545.0
v1.546.0
v1.546.1
v1.547.0
v1.548.0
v1.548.1
v1.548.2
v1.548.3
v1.549.0
v1.549.1
v1.550.0
v1.551.0
v1.551.1
v1.551.2
v1.551.3
v1.551.4
v1.552.0
v1.552.1
v1.553.0
v1.554.0
v1.554.1
v1.555.0
v1.555.1
v1.555.2
v1.556.0
v1.556.1
v1.557.0
v1.558.0
v1.558.1
v1.559.0
v1.560.0
v1.561.0
v1.562.0
v1.563.0
v1.563.1
v1.563.2
v1.563.3
v1.563.4
v1.564.0
v1.565.0
v1.566.0
v1.566.1
v1.567.0
v1.567.1
v1.567.2
v1.567.3
v1.568.0
v1.569.0
v1.570.0
v1.571.0
v1.572.0
v1.572.1
v1.572.2
v1.573.0
v1.573.1
v1.573.2
v1.573.3
v1.573.4
v1.573.5
v1.574.0
v1.574.1
v1.574.2
v1.574.3
v1.575.0
v1.575.1
v1.575.2
v1.575.3
v1.575.4
v1.576.0
v1.576.1
v1.576.2
v1.576.3
v1.577.0
v1.578.0
v1.579.0
v1.579.1
v1.579.2
v1.580.0
v1.581.0
v1.581.1
v1.582.0
v1.582.1
v1.582.2
v1.583.0
v1.583.1
v1.583.2
v1.583.3
v1.584.0
v1.585.0
v1.585.1
v1.586.0
v1.587.0
v1.587.1
v1.588.0
v1.589.0
v1.589.1
v1.589.2
v1.589.3
v1.590.0
v1.591.0
v1.591.1
v1.591.2
v1.591.3
v1.591.4
v1.592.0
v1.592.1
v1.593.0
v1.593.1
v1.594.0
v1.595.0
v1.596.0
v1.597.0
v1.597.1
v1.598.0
v1.599.0
v1.599.1
v1.599.2
v1.599.3
v1.600.0
v1.600.1
v1.601.0
v1.601.1
v1.602.0
v1.603.0
v1.603.1
v1.603.2
v1.603.3
v1.603.4
v1.604.0
v1.605.0
v1.606.0
v1.606.1
v1.607.0
v1.607.1
v1.608.0
v1.609.0
v1.610.0
v1.610.1
v1.611.0
v1.612.0
v1.612.1
v1.612.2
v1.613.0
v1.613.1
v1.613.2
v1.613.3
v1.613.4
v1.614.0
v1.615.0
v1.615.1
v1.615.2
v1.615.3
v1.616.0
v1.617.0
v1.617.1
v1.617.2
v1.617.3
v1.618.0
v1.618.1
v1.618.2
v1.619.0
v1.620.0
v1.620.1
v1.621.0
v1.621.1
v1.621.2
v1.622.0
v1.623.0
v1.623.1
v1.624.0
v1.625.0
v1.626.0
v1.627.0
v1.628.0
v1.628.1
v1.628.2
v1.628.3
v1.629.0
v1.629.1
v1.630.0
v1.630.1
v1.630.2
v1.631.0
v1.631.1
v1.631.2
v1.632.0
v1.633.0
v1.633.1
v1.634.0
v1.634.1
v1.634.2
v1.634.3
v1.634.4
v1.634.5
v1.634.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26964.json"