QwikSec

Security Database

CVE

CWE

Training

CVE-2026-45226

Published: May 12, 2026

Modified: May 13, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Vendor	Product	Versions
heymrun	heym	affected `0 - < 0.0.21` unaffected `3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/heymrun/heym/releases/tag/v0.0.21

release-notes

https://github.com/heymrun/heym/pull/93

issue-tracking

https://github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8

patch

https://www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-execution

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.