CVE-2026-45226

Heym < 0.0.21 Authorization Bypass in Workflow Execution

CVSS 7.6 HIGHEPSS 0.3%CWE-863

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.6EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

12 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Affected products

heymrun · heym

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8 https://github.com/heymrun/heym/pull/93 https://github.com/heymrun/heym/releases/tag/v0.0.21 https://www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-execution