Windmill Dev Platform Suffers Critical Code Injection Flaw
CVE Notify has flagged a significant vulnerability within the popular open-source developer platform, Windmill. The issue, dubbed CVE-2026-33881, resides in the platform’s NativeTS executor. According to CVE Notify, environment variable values are being interpolated into JavaScript string literals without proper escaping for single quotes. This oversight allows a malicious workspace administrator to inject arbitrary JavaScript code. This injected code can then execute within any NativeTS script running in that specific workspace, posing a serious security risk.
CVE Notify clarifies that this is a code injection bug located in the worker.rs component, and it’s distinct from sandbox or NSJAIL-related security concerns. The vulnerability impacts Windmill’s ability to securely manage internal code, including APIs, background jobs, workflows, and user interfaces. The good news is that Windmill has already addressed this by releasing version 1.664.0, which includes a patch for this critical flaw.
What This Means For You
- Organizations utilizing Windmill should immediately review their environment variable configurations and ensure all workspace administrators are trusted. Promptly update to version 1.664.0 or later to remediate this code injection vulnerability.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33881 | Code Injection | Windmill version < 1.664.0, NativeTS executor, interpolation of environment variables into JavaScript string literals without escaping single quotes in worker.rs |
| CVE-2026-33881 | Code Injection | Windmill version < 1.664.0, affected component: NativeTS executor, vulnerability: arbitrary JavaScript injection via unescaped single quotes in environment variables |
🛠 Recommended Tools
Found this interesting? Follow us to stay ahead.