Main Vulnerability Database Exploits ID:12429 - Exploit for Information disclosure in Windmill - CVE-2026-26964

ID:12429 - Exploit for Information disclosure in Windmill - CVE-2026-26964

Published: February 20, 2026

Vulnerability identifier: #VU123114

Vulnerability risk: Low

CVE-ID: CVE-2026-26964

CWE-ID: CWE-200

Exploitation vector: Remote access

Vulnerable software:
Windmill

Link to public exploit:

https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w/#poc

Vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member. A remote administrator can gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

ID:12429 - Exploit for Information disclosure in Windmill - CVE-2026-26964

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human