CVE-2026-47107HIGH 8.1EPSS p14.8%

CVE-2026-47107CVE-2026-47107

Description

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to other users' workspaces.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.24% probability of exploitation · percentile 14.8% · 2026-06-19T12:03:05Z
Published2026-05-19
Last modified2026-05-20

Underlying weaknesses· 1

CWE-276

References

  1. https://github.com/windmill-labs/windmill/commit/f8467f38c8a053117ce62f96684cfb15ef792f08
  2. https://github.com/windmill-labs/windmill/pull/9194
  3. https://github.com/windmill-labs/windmill/releases/tag/v1.703.2
  4. https://www.vulncheck.com/advisories/windmill-incorrect-default-permissions-in-nsjail-configuration
  5. https://github.com/windmill-labs/windmill/pull/9194

1

TypeTargetConfidenceTier
WeaknessIncorrect Default Permissionscwe-2760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22683
CVE
CVE-2026-23696
CVE
CVE-2026-27173
CVE
CVE-2026-41978
CVE
CVE-2026-32038
CVE
CVE-2026-28470
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.