{"id":"CVE-2026-29059","summary":"Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly","details":"Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint \"(/api/w/{workspace}/jobs_u/get_log_file/{filename})\". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.","aliases":["GHSA-24fr-44f8-fqwg"],"modified":"2026-04-10T05:41:28.462483Z","published":"2026-03-06T07:11:28.527Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29059.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/windmill-labs/windmill/releases/tag/v1.603.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29059.json"},{"type":"ADVISORY","url":"https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29059"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/windmill-labs/windmill","events":[{"introduced":"0"},{"fixed":"de2f5d3432ab294e39167b1a2b804616fc96c814"}]}],"versions":["1.422.3","1.462.2","1.462.3","1.462.4","1.463.4","1.463.5","v1.417.0","v1.417.1","v1.417.2","v1.417.3","v1.418.0","v1.419.0","v1.420.0","v1.420.1","v1.421.0","v1.421.1","v1.421.2","v1.422.0","v1.422.1","v1.423.0","v1.423.1","v1.423.2","v1.424.0","v1.425.0","v1.425.1","v1.426.0","v1.426.1","v1.427.0","v1.428.0","v1.428.1","v1.429.0","v1.430.0","v1.430.1","v1.430.2","v1.431.0","v1.431.1","v1.432.0","v1.433.0","v1.434.0","v1.434.1","v1.434.2","v1.435.0","v1.435.1","v1.435.2","v1.436.0","v1.437.0","v1.437.1","v1.438.0","v1.439.0","v1.440.0","v1.440.1","v1.440.2","v1.440.3","v1.441.0","v1.441.1","v1.441.2","v1.442.0","v1.443.0","v1.444.0","v1.445.0","v1.445.1","v1.446.0","v1.447.0","v1.447.1","v1.447.2","v1.447.3","v1.447.4","v1.447.5","v1.447.6","v1.448.0","v1.448.1","v1.449.0","v1.449.1","v1.449.2","v1.449.3","v1.450.0","v1.450.1","v1.451.0","v1.452.0","v1.452.1","v1.453.0","v1.453.1","v1.454.0","v1.454.1","v1.455.0","v1.455.1","v1.455.2","v1.456.0","v1.457.0","v1.457.1","v1.458.0","v1.458.1","v1.458.2","v1.458.3","v1.458.4","v1.459.0","v1.460.0","v1.460.1","v1.461.0","v1.461.1","v1.462.0","v1.462.1","v1.463.0","v1.463.1","v1.463.2","v1.463.3","v1.463.5","v1.463.6","v1.464.0","v1.465.0","v1.466.0","v1.466.1","v1.466.2","v1.466.3","v1.467.0","v1.467.1","v1.468.0","v1.469.0","v1.470.0","v1.470.1","v1.471.0","v1.471.1","v1.472.0","v1.472.1","v1.473.0","v1.473.1","v1.474.0","v1.475.0","v1.475.1","v1.476.0","v1.477.0","v1.477.1","v1.478.0","v1.478.1","v1.479.0","v1.479.1","v1.479.2","v1.479.3","v1.480.0","v1.480.1","v1.481.0","v1.482.0","v1.482.1","v1.483.0","v1.483.1","v1.483.2","v1.484.0","v1.485.0","v1.485.1","v1.485.2","v1.485.3","v1.486.0","v1.486.1","v1.487.0","v1.488.0","v1.489.0","v1.490.0","v1.491.0","v1.491.1","v1.491.2","v1.491.3","v1.491.4","v1.491.5","v1.492.0","v1.492.1","v1.493.0","v1.493.1","v1.493.2","v1.493.3","v1.493.4","v1.494.0","v1.495.0","v1.495.1","v1.496.0","v1.496.1","v1.496.2","v1.496.3","v1.497.0","v1.497.1","v1.497.2","v1.498.0","v1.499.0","v1.500.0","v1.500.1","v1.500.2","v1.500.3","v1.501.0","v1.501.1","v1.501.2","v1.501.3","v1.501.4","v1.502.0","v1.502.1","v1.502.2","v1.503.0","v1.503.1","v1.503.2","v1.503.3","v1.504.0","v1.505.0","v1.505.1","v1.505.2","v1.505.3","v1.505.4","v1.506.0","v1.507.0","v1.507.1","v1.507.2","v1.508.0","v1.509.0","v1.509.1","v1.509.2","v1.510.0","v1.510.1","v1.511.0","v1.512.0","v1.513.0","v1.513.1","v1.514.0","v1.514.1","v1.515.0","v1.515.1","v1.516.0","v1.517.0","v1.518.0","v1.518.1","v1.518.2","v1.519.0","v1.519.1","v1.519.2","v1.520.0","v1.520.1","v1.521.0","v1.522.0","v1.522.1","v1.523.0","v1.524.0","v1.525.0","v1.526.0","v1.526.1","v1.527.0","v1.527.1","v1.528.0","v1.529.0","v1.530.0","v1.531.0","v1.532.0","v1.533.0","v1.533.1","v1.534.0","v1.534.1","v1.535.0","v1.536.0","v1.537.0","v1.537.1","v1.538.0","v1.539.0","v1.539.1","v1.540.0","v1.540.1","v1.540.2","v1.541.0","v1.541.1","v1.542.0","v1.542.1","v1.542.2","v1.542.3","v1.542.4","v1.543.0","v1.544.0","v1.544.1","v1.544.2","v1.545.0","v1.546.0","v1.546.1","v1.547.0","v1.548.0","v1.548.1","v1.548.2","v1.548.3","v1.549.0","v1.549.1","v1.550.0","v1.551.0","v1.551.1","v1.551.2","v1.551.3","v1.551.4","v1.552.0","v1.552.1","v1.553.0","v1.554.0","v1.554.1","v1.555.0","v1.555.1","v1.555.2","v1.556.0","v1.556.1","v1.557.0","v1.558.0","v1.558.1","v1.559.0","v1.560.0","v1.561.0","v1.562.0","v1.563.0","v1.563.1","v1.563.2","v1.563.3","v1.563.4","v1.564.0","v1.565.0","v1.566.0","v1.566.1","v1.567.0","v1.567.1","v1.567.2","v1.567.3","v1.568.0","v1.569.0","v1.570.0","v1.571.0","v1.572.0","v1.572.1","v1.572.2","v1.573.0","v1.573.1","v1.573.2","v1.573.3","v1.573.4","v1.573.5","v1.574.0","v1.574.1","v1.574.2","v1.574.3","v1.575.0","v1.575.1","v1.575.2","v1.575.3","v1.575.4","v1.576.0","v1.576.1","v1.576.2","v1.576.3","v1.577.0","v1.578.0","v1.579.0","v1.579.1","v1.579.2","v1.580.0","v1.581.0","v1.581.1","v1.582.0","v1.582.1","v1.582.2","v1.583.0","v1.583.1","v1.583.2","v1.583.3","v1.584.0","v1.585.0","v1.585.1","v1.586.0","v1.587.0","v1.587.1","v1.588.0","v1.589.0","v1.589.1","v1.589.2","v1.589.3","v1.590.0","v1.591.0","v1.591.1","v1.591.2","v1.591.3","v1.591.4","v1.592.0","v1.592.1","v1.593.0","v1.593.1","v1.594.0","v1.595.0","v1.596.0","v1.597.0","v1.597.1","v1.598.0","v1.599.0","v1.599.1","v1.599.2","v1.599.3","v1.600.0","v1.600.1","v1.601.0","v1.601.1","v1.602.0","v1.603.0","v1.603.1","v1.603.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29059.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}