Windmill Slack OAuth Client Secret Exposure Vulnerability

A vulnerability in Windmill versions through 1.634.6 allows non-admin users to access Slack OAuth client secrets via the GET /api/w/{workspace}/workspaces/get_settings endpoint. This information should only be available to workspace administrators. The issue arises from a legacy handling of Slack configuration data, which was stored in plaintext and not properly redacted for non-admin users. As a result, authenticated workspace members without admin privileges can retrieve sensitive OAuth client secrets, potentially leading to unauthorized actions within the associated Slack workspace.

Impact

Exploitation of this vulnerability allows any non-admin workspace member to obtain the Slack OAuth client secret, which could be used to impersonate the Windmill Slack application. While the leaked secret could facilitate a phishing OAuth flow targeting workspace members, the overall impact is limited, as the workspace Slack bot has a restricted scope and cannot access arbitrary messages in channels or DMs.

Reproduction

To reproduce this vulnerability, log into a Windmill instance as an admin and configure the Slack OAuth settings for a workspace. Then, log in as a regular non-admin user and request the workspace settings through the API. The response will include the Slack OAuth client secret, demonstrating the exposure.

Remediation

Users can upgrade to Windmill version 1.635.0 or later, where this vulnerability has been fixed.