What is CVE-2026-29059?

CVE-2026-29059 is a vulnerability in Windmill-labs Windmill, classified under Path Traversal. Published 2026-03-06.

Is CVE-2026-29059 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Windmill-labs Windmill

CVE-2026-29059

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{works…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.233 (96.1th percentile) — read the EPSS interpretation.

Affected products

Windmill-labs Windmill — versions < 1.603.3

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

Chocapikk/Windfall

References

https://github.com/windmill-labs/windmill/security/advisories/GHSA-24fr-44f8-fqwg (x_refsource_CONFIRM)
https://github.com/windmill-labs/windmill/releases/tag/v1.603.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-29059?: CVE-2026-29059 is a vulnerability in Windmill-labs Windmill, classified under Path Traversal. Published 2026-03-06.
Is CVE-2026-29059 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.