CVE-2026-45226
HIGHHeym < 0.0.21 Authorization Bypass in Workflow Execution
Title source: cnaDescription
Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/heymrun/heym/releases/tag/v0.0.21
Issue Tracking issue-tracking
https://github.com/heymrun/heym/pull/93
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-execution
Scores
CVSS v3
7.1
EPSS
0.0029
EPSS Percentile
20.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (2)
heymrun/heym
< 0.0.21
heymrun/heym
3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8
Published
May 12, 2026
Tracked Since
May 13, 2026