Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10917

windmill-client is vulnerable to Authorization Bypass

Authorization Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

80

High Risk

This Affects:

JSwindmill-client
1.509.0 - 1.708.0
Fixed in 1.709.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package contain an unauthenticated authorization bypass in the public jobs_u/getupdate/{id} and jobs_u/getupdate_sse/{id} endpoints when only_result=true is supplied, allowing unauthenticated users who know a private job UUID to retrieve job output that may include sensitive user data, third-party API responses, or secrets. An attacker could exploit this by obtaining or guessing a valid private job ID and sending an unauthenticated request to the affected endpoint with only_result=true to access results that should only be available to authorized users.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

windmill-client is vulnerable to Authorization Bypass in versions 1.509.0 - 1.708.0.

How to fix this

Upgrade the windmill-client library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done