Impact
An unauthentified attacker, can find the SUPERADMIN_SECRET and use it to login as a super admin. This could allow the attacker to compromise the server within the Flow container and
- read arbitrary files,
- leak the windmill_users_config.json file containing admin tokens in plaintext,
- and use the leaked tokens to achieve remote code execution as root within the container.
Recommendation
To prevent attackers from exploiting the reported issue, we strongly recommend that the Nextcloud Flow app is upgraded as soon as possible to the 1.3.0 release, which was released 13. January 2026.
Until the upgrade, the Flow external app should be disabled and the container turned off.
Workarounds
The only workaround is to disable the Flow app and make sure the container is turned off and does not restart
Impact
An unauthentified attacker, can find the SUPERADMIN_SECRET and use it to login as a super admin. This could allow the attacker to compromise the server within the Flow container and
Recommendation
To prevent attackers from exploiting the reported issue, we strongly recommend that the Nextcloud Flow app is upgraded as soon as possible to the 1.3.0 release, which was released 13. January 2026.
Until the upgrade, the Flow external app should be disabled and the container turned off.
Workarounds
The only workaround is to disable the Flow app and make sure the container is turned off and does not restart