CVE-2026-47107 Overview
CVE-2026-47107 is an incorrect default permissions vulnerability [CWE-276] in Windmill versions prior to 1.703.2. The nsjail sandbox used to isolate script execution bind-mounts /etc without read-write restrictions. Authenticated users with script execution privileges can write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from inside the sandbox. Poisoned entries persist across every subsequent script execution on the same worker pod. Attackers leverage this persistence to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle (MITM) attacks, and capture WM_TOKEN JSON Web Tokens (JWTs) to obtain workspace-admin access to other tenants.
Critical Impact
Any authenticated Windmill user can pivot from a single script invocation to full workspace-admin compromise of co-tenant workspaces sharing the same worker pod.
Affected Products
- Windmill versions prior to 1.703.2
- Windmill worker pods running nsjail sandboxed script execution
- Multi-tenant Windmill deployments sharing worker pools across workspaces
Discovery Timeline
- 2026-05-19 - CVE-2026-47107 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
- Patch released - Windmill v1.703.2 published on GitHub with hardened nsjail configuration
Technical Details for CVE-2026-47107
Vulnerability Analysis
Windmill is a developer platform for running scripts and workflows. Each script executes inside an nsjail sandbox on a worker pod. The sandbox is intended to isolate untrusted user code from the host filesystem and from other tenants.
The nsjail configuration bind-mounts the host /etc directory into the sandbox without applying the read-only (rw: false) flag. As a result, any process inside the sandbox inherits write access to sensitive system files. The bind mount targets the worker pod's /etc, not an ephemeral copy, so modifications survive after the sandbox exits and apply to every subsequent script execution scheduled to the same pod.
This vulnerability is categorized as Insecure Permissions and Man-in-the-Middle, mapped to [CWE-276] Incorrect Default Permissions.
Root Cause
The root cause is the absence of a read-only flag on the /etc bind mount inside the nsjail policy file. Sandbox authors typically restrict writes to system configuration directories. In Windmill, the omission allowed user-controlled scripts to overwrite or append to files such as /etc/hosts, /etc/resolv.conf, and the system trust store at /etc/ssl/certs/ca-certificates.crt.
Attack Vector
An authenticated user submits a script that writes attacker-controlled entries into the mounted /etc files. Appending a certificate authority (CA) to ca-certificates.crt causes subsequent jobs on the pod to trust attacker-issued TLS certificates. Modifying /etc/hosts or /etc/resolv.conf redirects outbound traffic from later scripts, including internal Windmill API calls, through an attacker-controlled host. When a co-tenant's job authenticates to the Windmill backend, the attacker intercepts the WM_TOKEN JWT and replays it with workspace-admin scope. Refer to the VulnCheck Security Advisory and GitHub Pull Request 9194 for the technical write-up.
// No verified public exploit code is published.
// The conceptual exploitation chain is:
// 1. Write rogue CA to /etc/ssl/certs/ca-certificates.crt
// 2. Add attacker host to /etc/hosts for windmill backend FQDN
// 3. Wait for co-tenant job; MITM TLS; capture WM_TOKEN JWT
// 4. Reuse JWT against /api with workspace-admin scope
Detection Methods for CVE-2026-47107
Indicators of Compromise
- Unexpected modifications to /etc/hosts, /etc/resolv.conf, or /etc/ssl/certs/ca-certificates.crt on Windmill worker pods
- New or unknown CA entries appended to the system trust store on worker pods
- DNS resolutions from worker pods pointing internal Windmill API hostnames to unexpected IP addresses
- WM_TOKEN JWTs used from source IPs that differ from the issuing worker pod
Detection Strategies
- File integrity monitoring on worker pod /etc paths with alerting on any write event
- Audit Windmill job logs for scripts that open /etc/hosts, /etc/resolv.conf, or ca-certificates.crt for write
- Compare the running pod's ca-certificates.crt hash against the container image baseline
- Correlate JWT issuance events with downstream API calls to detect token reuse across workspaces
Monitoring Recommendations
- Forward worker pod auditd and file-write telemetry to a centralized data lake for cross-pod correlation
- Alert on outbound DNS or TLS connections from worker pods to non-allowlisted destinations
- Track Windmill worker container image versions and flag any cluster still running a release earlier than 1.703.2
How to Mitigate CVE-2026-47107
Immediate Actions Required
- Upgrade Windmill to version 1.703.2 or later on all worker pods and the control plane
- Recycle existing worker pods so any in-memory poisoned /etc state is destroyed
- Rotate all WM_TOKEN JWTs and workspace API keys that may have been exposed before patching
- Audit workspace-admin assignments for unauthorized changes since the affected version was deployed
Patch Information
The fix is delivered in Windmill v1.703.2. The nsjail configuration was updated to mount /etc and related system directories read-only. See the GitHub Commit Update, GitHub Pull Request 9194, and the GitHub Release v1.703.2 for details.
Workarounds
- Until upgrade is possible, dedicate a separate worker pool per workspace to prevent cross-tenant impact
- Override the nsjail policy file to mark the /etc bind mount as read-only (rw: false)
- Run worker pods on ephemeral filesystems that are discarded after each job
- Restrict script execution privileges to a minimal, trusted set of users
# Example nsjail mount hardening (apply until upgrading to 1.703.2)
mount {
src: "/etc"
dst: "/etc"
is_bind: true
rw: false
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
