Windmill, Authorization Bypass via Scoped API Token Resource Path Mismatch, AIKIDO-2026-10918 (Low) -DC-Jul2026-862

Listen to this Post

How AIKIDO-2026-10918 Works

Windmill supports scoped API tokens with a format of {domain}:{action}[:{resource}], allowing administrators to restrict tokens to specific resources, such as scripts:read:f/allowed/. However, a critical flaw exists in how these scopes are enforced for certain listing endpoints.
The route-level scope middleware validates the token’s domain and action (e.g., scripts:read) but completely ignores the resource/path segment of the scope. For the endpoint GET /api/w/{workspace}/scripts/list_search, the handler executes a SQL query that returns `path` and `content` for all scripts in the workspace without any per-row filtering:

SELECT path, content FROM script WHERE workspace_id = $1 AND archived = false LIMIT $2

There is no additional `check_scopes(…)` call in the handler and no per-row path filtering against the token’s resource restrictions.
As a result, a token created with `scripts:read:f/allowed/` — intended to read only scripts under the `f/allowed/` path — can be used to call the `list_search` endpoint and retrieve the `path` and `content` of all scripts in the workspace, including those under unrelated paths like f/private/script_b. This bypasses the intended resource-scoped restriction and exposes script source code from outside the token’s authorized scope.
This issue appears to be a remaining variant of a broader class of authorization bypasses previously addressed for other endpoints, such as `resources/variables` listing and job preview paths. However, no equivalent fix was applied to scripts/list_search.

DailyCVE Form

Platform: Windmill
Version: <= 1.714.1
Vulnerability: Resource-scoped API token path restriction bypass via /scripts/list_search
Severity: Low
Date: 2026-07-10

Prediction: 2026-07-25

What Undercode Say

Analytics

The vulnerability allows a token with `scripts:read:f/allowed/` scope to retrieve all scripts in the workspace.

Bash Commands & Codes

Create a scoped token (legitimate):

curl -X POST "https://windmill.example.com/api/w/{workspace}/tokens" \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"label":"restricted-read","scopes":["scripts:read:f/allowed/"]}'

Exploit the bypass:

TOKEN="<restricted-token>"
WORKSPACE="your-workspace"
curl -X GET "https://windmill.example.com/api/w/${WORKSPACE}/scripts/list_search" \
-H "Authorization: Bearer ${TOKEN}"

Expected (restricted) response: only `f/allowed/` scripts.

Actual (vulnerable) response: all scripts including `f/private/script_b`.

Check scope of a token:

curl -X GET "https://windmill.example.com/api/w/${WORKSPACE}/tokens/verify" \
-H "Authorization: Bearer ${TOKEN}"

Exploit

  1. Create or identify a workspace with at least two scripts:
    – `f/allowed/script_a`
    – `f/private/script_b`
    2. Generate a scoped API token with the scope scripts:read:f/allowed/.
  2. Send a `GET` request to `/api/w/{workspace}/scripts/list_search` using the token.
  3. Observe that the response includes `path` and `content` for both scripts, not just those under f/allowed/.

This exposes script source code, which may contain:

  • Internal automation logic
  • Integration details
  • Business logic
  • Inline configuration
  • Accidentally hardcoded secrets or credentials
    No admin privileges are required — only possession of a valid scoped API token for the workspace.

Protection

  • Upgrade to the patched version of `windmill-client` (1.709.0 or later).
  • Avoid using resource-scoped tokens for read access until the patch is applied.
  • Audit existing tokens and rotate any that may have been exposed.
  • Monitor logs for unexpected `scripts/list_search` requests from restricted tokens.
  • Apply the suggested fix: add handler-level authorization or per-row filtering to `scripts/list_search` so that a scoped token only receives scripts whose path is included by at least one `scripts:read:{resource}` scope.

Impact

  • Information Disclosure: An attacker with a path-restricted `scripts:read:{resource}` token can read script contents from unrelated paths in the same workspace.
  • Exposure of Sensitive Data: Scripts may contain internal automation logic, integration details, business logic, inline configuration, or accidentally hardcoded secrets and credentials.
  • Low Complexity: The attack requires no admin privileges; only a valid scoped API token for the workspace.
  • Widespread Affected Versions: Confirmed in versions up to and including 1.714.1.
  • Related Class of Issues: Similar scoped-token issues have been fixed for other endpoints, but `scripts/list_search` remains vulnerable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top