Windmill Path Traversal Vulnerability in Log File Endpoint Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Windmill versions prior to 1.603.3, specifically in the 'get_log_file' endpoint. The vulnerability allows unauthenticated users to read arbitrary files on the server by exploiting the 'filename' parameter, which is not properly sanitized and can be manipulated using '../' sequences. This issue has been addressed in version 1.603.3.

Impact

Exploitation of this vulnerability allows for arbitrary file read on the server. In specific cases, such as Windmill embedded within Nextcloud Flow, it could lead to unauthorized access to the 'SUPERADMIN_SECRET' environment variable. This secret, if present, could be used to authenticate as a superadmin and execute arbitrary code via the job preview API.

Remediation

Users should upgrade to Windmill version 1.603.3 or later. Nextcloud Flows is transitioning to a new integration that decouples it from Windmill, allowing independent updates.