What is CVE-2026-23696?

CVE-2026-23696 is a critical-severity vulnerability in Nextcloud Flow, classified under SQL Injection. CVSS score: 9.9/10. Published 2026-04-07.

How severe is CVE-2026-23696?

Critical severity. CVSS v3 base score is 9.9 out of 10.

SQL Injection in Nextcloud Flow

CVE-2026-23696

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use…

Vulnerability class: SQL Injection

EPSS: 0.001 (28.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Nextcloud Flow — versions 1.0.0, 1.3.0, 1.3.1
Windmill Labs Ce (Community Edition) — versions 1.276.0, 1.603.3
Windmill Labs Ee (Enterprise Edition) — versions 1.276.0, 1.603.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/ (technical-description, exploit)
github.com/Chocapikk/Windfall (exploit)
github.com/windmill-labs/windmill/releases/tag/v1.603.3 (release-notes)
github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eea… (patch)
www.windmill.dev/ (product)
apps.nextcloud.com/apps/flow/releases (release-notes)
www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce (third-party-advisory)

Frequently asked questions

What is CVE-2026-23696?: CVE-2026-23696 is a critical-severity vulnerability in Nextcloud Flow, classified under SQL Injection. CVSS score: 9.9/10. Published 2026-04-07.
How severe is CVE-2026-23696?: Critical severity. CVSS v3 base score is 9.9 out of 10.