CVE 9.3 CRITICAL

Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration_CVE-2026-47107

May 19, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Description

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants.

AI Analysis

Incorrect default permissions in nsjail sandbox configuration files allow authenticated users to write arbitrary entries to system files and gain workspace-admin access to victim workspaces across tenants.

Basic Information

ID CVE-2026-47107
Source VulnCheck
Published May 19, 2026 at 16:42
Modified May 19, 2026 at 18:36

Affected Product

Vendor windmill-labs
Product windmill
Affected Versions windmill-labs windmill 0

CWE Classification

CWE-276

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor Windmill Labs
Product Windmill
Version < 1.703.2

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.