Cybersecurity researchers have discovered critical vulnerabilities in the Windmill developer platform and Nextcloud Flow, an integration embedding the Windmill engine.
These severe flaws allow remote attackers to take full control of affected systems without requiring any passwords.
System administrators must patch immediately to prevent catastrophic network breaches and data theft.
Recently, security researcher Chocapikk released a highly advanced proof-of-concept exploit framework named “Windfall,” significantly lowering the barrier for hackers to launch real-world attacks.
- CVE-2026-29059: An unauthenticated path traversal vulnerability (CWE-22) in Windmill and Nextcloud Flow, with a maximum CVSS score of 10.0.
- Pending CVE: An authenticated SQL injection vulnerability affecting the same developer platforms, carrying a critical CVSS score of 9.4.
- Tracked Tags: The exploit framework also heavily tags CVE-2026-23695, CVE-2026-23696, CVE-2026-23697, and CVE-2026-23698.
The Core Vulnerabilities
The most dangerous issue is the path traversal flaw, officially identified as CVE-2026-29059. It exists because the software fails to properly filter file paths in the logging system’s get_log_file endpoint.
Consequently, anyone on the internet can read sensitive files using simple directory traversal sequences. Attackers aggressively exploit this to steal hidden application secrets, access passwords, and execute malicious code.
In Docker environments, hackers can even break out of the container to attack the underlying host machine directly.
The second flaw is a SQL injection vulnerability. It requires an attacker to already have a basic operator account on Windmill.
Once logged in, this low-level user can seamlessly manipulate database queries to extract all data from the PostgreSQL database. They can then upgrade their account to “super admin” status, gaining total system control.
The risk extends beyond standalone Windmill servers because Nextcloud Flow deeply integrates the Windmill automation engine.
The researcher found a major configuration error where a specific network endpoint was accidentally made public.
This means attackers can completely bypass Nextcloud’s security proxy without needing active credentials.
By utilizing a clever triple URL encoding trick, attackers slip past security filters and steal application secrets from server environment variables. They can then easily create fake administrator accounts to seize control of the entire Nextcloud instance.
The Windfall Exploit Framework
The situation is especially urgent due to the public release of the “Windfall” exploit framework.
Built collaboratively with AI assistance, this production-grade attack tool automatically detects the target server type and intelligently chooses the best method to steal passwords.
Alarmingly, the tool includes a highly stealthy “Ghost Mode.” This operational security feature automatically wipes all attack traces from the backend database once the hack finishes.
It actively deletes job histories and raw code logs, leaving incident response teams with zero forensic evidence of a system breach.
To quickly fix these severe security holes, administrators must immediately upgrade their environments to Windmill version 1.603.3 and Nextcloud Flow version 1.3.0.
Developers must properly sanitize all file path requests and require strict authentication protocols.
Furthermore, security teams should run containers as non-root users, disable the Flow app if updating is completely impossible, and block Docker socket access. These vital steps will severely limit potential damage from a successful breach.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
