The vulnerability identified as CVE-2026-26964 affects windmill, an open-source developer platform used for managing internal code, APIs, background jobs, workflows, and user interfaces. In versions 1.634.6 and earlier, the platform improperly exposes the Slack OAuth client secret to any authenticated workspace member, regardless of their administrative privileges. Specifically, the GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret in plaintext, which should be restricted to workspace administrators only. This flaw stems from a legacy design where the Slack OAuth client secret was stored as a plain value rather than using variable indirection ($variable), and it was never included in the redaction logic that limits sensitive information visibility for non-admin users. While non-admin users are expected to see a redacted subset of workspace settings necessary for frontend functionality, the Slack OAuth secret should not be among them. This exposure risks unauthorized access to OAuth credentials, potentially enabling attackers to impersonate the application in Slack integrations or access Slack workspace data. The vulnerability does not require user interaction and requires only authenticated access with non-admin privileges. The issue was resolved in windmill version 1.635.0 by implementing proper redaction of the Slack OAuth client secret for non-admin users. There are no known exploits in the wild as of the publication date.

The primary impact of this vulnerability is the unauthorized disclosure of Slack OAuth client secrets to any authenticated non-admin user within a windmill workspace. This exposure compromises the confidentiality of sensitive credentials that are intended to be restricted to administrators. With access to the Slack OAuth client secret, an attacker could potentially impersonate the windmill application in Slack integrations, leading to unauthorized access to Slack workspace resources, data leakage, or manipulation of Slack-based workflows and notifications. Although the vulnerability does not affect system integrity or availability, the compromise of OAuth credentials can facilitate further attacks on the Slack workspace or connected systems. Organizations relying on windmill for internal development and automation, especially those integrating with Slack, face increased risk of credential theft and subsequent lateral movement or data exfiltration within their collaboration environment. The vulnerability affects all organizations using windmill versions prior to 1.635.0 that have Slack integrations enabled and allow multiple authenticated users with non-admin roles. Since exploitation requires only authenticated access, insider threats or compromised user accounts could leverage this flaw to escalate access to sensitive OAuth credentials.

Organizations should upgrade windmill to version 1.635.0 or later, where the vulnerability has been fixed by proper redaction of the Slack OAuth client secret for non-admin users. Until the upgrade can be applied, administrators should consider restricting the number of users with authenticated access to windmill workspaces, especially limiting non-admin users who do not require access to Slack integrations. Review and rotate Slack OAuth client secrets to invalidate any potentially exposed credentials. Implement monitoring and alerting for unusual OAuth token usage or Slack integration activity that could indicate misuse. Additionally, enforce strong authentication and access controls on windmill to reduce the risk of compromised user accounts. Evaluate the necessity of Slack integration within windmill and disable it if not required. Finally, audit workspace settings and logs regularly to detect unauthorized access attempts or suspicious behavior related to OAuth credentials.