CVE-2026-29059 is a CWE-22 path traversal vulnerability found in the Windmill platform, an open-source tool used for managing internal code APIs, background jobs, workflows, and user interfaces. The vulnerability resides in the get_log_file endpoint (/api/w/{workspace}/jobs_u/get_log_file/{filename}), where the filename parameter is directly concatenated into a file path without any sanitization or validation. This improper limitation of pathname allows an attacker to craft malicious input containing directory traversal sequences (../) to access arbitrary files on the server filesystem. Since the endpoint does not require authentication, the attack surface is broad and can be exploited remotely over the network. The vulnerability affects all Windmill versions prior to 1.603.3, where the issue has been fixed. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates that the attack is network-based, requires no privileges or user interaction, and impacts confidentiality with limited scope. No known active exploits have been reported, but the potential for sensitive data exposure is significant given the nature of the flaw. The root cause is the lack of input validation and path normalization before file access, a common security oversight in web applications handling file paths.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files, which can include configuration files, source code, credentials, logs, or other confidential data. This compromises confidentiality and may lead to further attacks such as credential theft, privilege escalation, or lateral movement within an organization. Since the vulnerability is exploitable without authentication, any attacker with network access to the Windmill instance can attempt exploitation. The availability and integrity of the system are not directly affected by this vulnerability. However, the exposure of sensitive information can have severe operational and reputational consequences for organizations. Enterprises relying on Windmill for internal development workflows may face increased risk of intellectual property theft and compliance violations. The medium CVSS score reflects the moderate but significant risk posed by this flaw, especially in environments where Windmill is exposed to untrusted networks.

1. Immediate upgrade to Windmill version 1.603.3 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all file path parameters, ensuring that directory traversal sequences (../) are detected and rejected. 3. Employ path normalization techniques to resolve and validate file paths before access, restricting access strictly to intended directories. 4. Restrict network access to the Windmill platform, limiting exposure to trusted internal networks or VPNs. 5. Implement robust access controls and authentication mechanisms for sensitive API endpoints to reduce attack surface. 6. Conduct regular security audits and code reviews focusing on file handling and input validation. 7. Monitor logs for suspicious access patterns indicative of path traversal attempts. 8. Consider deploying web application firewalls (WAFs) with rules to detect and block directory traversal payloads targeting Windmill endpoints. 9. Educate development teams about secure coding practices related to file path handling to prevent similar issues in the future.