Description

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.

INFO

Published Date :

2026-02-19T23:57:30.237Z

Last Modified :

2026-02-20T15:36:28.646Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26964 vulnerability.

Vendors Products
Windmill
  • Windmill
Windmill-labs
  • Windmill
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26964.

URL Resource
https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82 cve-icon cve-icon
https://github.com/windmill-labs/windmill/releases/tag/v1.635.0 cve-icon cve-icon
https://github.com/windmill-labs/windmill/security/advisories/GHSA-f27g-j463-q85w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact