CVE-2026-45226

HIGH 7.1

Heym < 0.0.21 Authorization Bypass in Workflow Execution

CVSS Score

7.1

EPSS Score

0.1%

EPSS Percentile

16th

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

CWE	CWE-863
Vendor	heymrun
Product	heym
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for heymrun heym

Be the first to know when new high vulnerabilities affecting heymrun heym are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

heymrun / heym

0 < 0.0.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/heymrun/heym/releases/tag/v0.0.21 github.com: https://github.com/heymrun/heym/pull/93 github.com: https://github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8 vulncheck.com: https://www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-execution

Credits

Chia Min Jun Lennon