NIXPKGS-2026-0827

GitHub issue published on 28 Mar 2026

Permalink CVE-2026-33881

updated 18 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 10 hours ago
@LeSuisse accepted 18 hours ago
@LeSuisse published on GitHub 18 hours ago

Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.

References

https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q x_refsource_CONFIRM

Affected products

windmill

==< 1.664.0

Matching in nixpkgs

pkgs.windmill

Open-source developer platform to turn scripts into workflows and UIs

nixos-unstable 1.601.1
- nixpkgs-unstable 1.601.1
- nixos-unstable-small 1.601.1
nixos-25.11 1.549.1
- nixos-25.11-small 1.549.1
- nixpkgs-25.11-darwin 1.549.1

Package maintainers

@dit7ya Mostly Void <7rat13@gmail.com>
@happysalada Raphael Megzari <raphael@megzari.com>

Advisory: https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0827

References

Affected products

Matching in nixpkgs

pkgs.windmill

Package maintainers