CVE-2026-29059 Overview
CVE-2026-29059 is a path traversal vulnerability affecting Windmill, an open-source developer platform for internal code that provides APIs, background jobs, workflows, and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint (/api/w/{workspace}/jobs_u/get_log_file/{filename}). The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences.
Critical Impact
Unauthenticated attackers can read sensitive files from the server filesystem, potentially exposing configuration files, credentials, API keys, and other confidential data stored on affected Windmill instances.
Affected Products
- Windmill versions prior to 1.603.3
- Self-hosted Windmill deployments exposing the vulnerable API endpoint
- Windmill instances accessible over the network without proper access controls
Discovery Timeline
- 2026-03-06 - CVE-2026-29059 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29059
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in the get_log_file endpoint which is designed to retrieve log files for job executions within a workspace. The vulnerability allows unauthenticated access, meaning no authentication tokens or session credentials are required to exploit this issue.
The endpoint accepts a filename parameter that is directly concatenated into the file path used to read the requested file. Because the application fails to properly validate or sanitize this input, attackers can manipulate the filename parameter to escape the intended log directory and access arbitrary files elsewhere on the filesystem.
Root Cause
The root cause is the lack of input sanitization on the filename parameter in the get_log_file endpoint. The application directly uses the user-supplied filename value to construct a file path without:
- Validating that the path remains within the expected log directory
- Stripping or rejecting path traversal sequences like ../
- Implementing path canonicalization to resolve symbolic links or relative paths
- Applying allowlist validation against expected filename patterns
This missing input validation allows attackers to traverse the directory structure and access files outside the intended scope.
Attack Vector
The attack is executed remotely over the network without requiring any authentication. An attacker can craft malicious HTTP requests to the vulnerable endpoint, supplying ../ sequences in the filename parameter to traverse directories. By chaining multiple traversal sequences, an attacker can navigate from the log file directory to the filesystem root and access sensitive files such as /etc/passwd, application configuration files, environment variables, or database credentials.
A typical attack request would target the endpoint /api/w/{workspace}/jobs_u/get_log_file/{filename} with a crafted filename containing path traversal sequences like ../../../etc/passwd to read the system's password file, or ../../../app/config/secrets.json to access application secrets.
Detection Methods for CVE-2026-29059
Indicators of Compromise
- Web server logs showing requests to /api/w/*/jobs_u/get_log_file/ containing ../ sequences
- Unusual access patterns to the get_log_file endpoint from external IP addresses
- HTTP requests with encoded path traversal variants such as %2e%2e%2f or ..%5c
- Evidence of sensitive file contents in response payloads or exfiltration attempts
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Implement log analysis to identify requests containing ../ or URL-encoded equivalents targeting the vulnerable endpoint
- Monitor for anomalous access to the get_log_file API from unauthenticated sessions or unusual source IPs
- Use intrusion detection systems (IDS) with signatures for path traversal attack patterns
Monitoring Recommendations
- Enable detailed access logging for all API endpoints and review logs for traversal indicators
- Set up alerts for requests to /api/w/*/jobs_u/get_log_file/ containing special characters or path sequences
- Monitor file access patterns on the server for reads of sensitive system files from the Windmill application process
- Implement network monitoring to detect potential data exfiltration following exploitation attempts
How to Mitigate CVE-2026-29059
Immediate Actions Required
- Upgrade Windmill to version 1.603.3 or later immediately
- Restrict network access to Windmill instances to trusted networks only until patching is complete
- Review server access logs for evidence of exploitation attempts
- Audit any potentially exposed sensitive files for signs of unauthorized access
Patch Information
Windmill has addressed this vulnerability in version 1.603.3. Organizations running affected versions should upgrade immediately to the patched release. The fix implements proper input validation and sanitization for the filename parameter to prevent path traversal attacks.
For patch details, refer to the Windmill Release v1.603.3 and the GitHub Security Advisory GHSA-24fr-44f8-fqwg.
Workarounds
- Place Windmill behind a reverse proxy that blocks requests containing path traversal sequences
- Implement network segmentation to limit access to Windmill instances from untrusted networks
- Use a web application firewall (WAF) to filter malicious requests targeting the vulnerable endpoint
- Temporarily disable or restrict access to the get_log_file endpoint if log retrieval functionality is not critical
# Example nginx configuration to block path traversal attempts
location /api/w/ {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://windmill_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
