Security overview · windmill-labs/windmill · GitHub

Security

No security policy detected

This project has not set up a SECURITY.md file yet.

Report a vulnerability

Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor
GHSA-8q8j-mm3g-5c2q published Mar 25, 2026 by rubenfiszel

Low
SUPERADMIN_SECRET (rarely used) can be accessed publicly on versions < 1.603.3 using RCE
GHSA-24fr-44f8-fqwg published Mar 2, 2026 by rubenfiszel

High
Workspace Slack OAuth Client Secret Exposed to Non-Admin Workspace Members
GHSA-f27g-j463-q85w published Feb 16, 2026 by rubenfiszel

Low

Learn more about advisories related to windmill-labs/windmill in the GitHub Advisory Database