Vulnerabilities

Report: Breaking: CVE-2026-47107 - Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration

2026-05-19 0 views admin
Report: Breaking: CVE-2026-47107 - Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration

CVE ID :CVE-2026-47107 Published : May 19, 2026, 4:42 p.m. | 1 hour, 19 minutes ago Description :Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants. Severity: 9.6 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Severity
CRITICAL
Published
May 19, 2026

🏷️ Tags

reportbreaking47107windmillincorrectdefaultpermissionsnsjailconfigurationcve

More from Vulnerabilities

Report: CVE-2026-29518 - Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write

Report: CVE-2026-29518 - Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write

2026-05-20 0
Report: CVE-2026-3593 - Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation - Full Analysis

Report: CVE-2026-3593 - Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation - Full Analysis

2026-05-20 0
Report: Ultimate Guide: CVE-2026-3592 - Amplification vulnerabilities via self-pointed glue records

Report: Ultimate Guide: CVE-2026-3592 - Amplification vulnerabilities via self-pointed glue records

2026-05-20 0
Report: Ultimate Guide: CVE-2026-3039 - BIND 9 server memory exhaustion during GSS-API TKEY negotiation

Report: Ultimate Guide: CVE-2026-3039 - BIND 9 server memory exhaustion during GSS-API TKEY negotiation

2026-05-20 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views