QwikSec

Security Database

CVE

CWE

Training

CVE-2026-45227

Published: May 12, 2026

Modified: May 14, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Vendor	Product	Versions
heymrun	heym	affected `0 - < 0.0.21` unaffected `32b7e809d987d9b018ec8daa2cdaf48f627f26f1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/heymrun/heym/releases/tag/v0.0.21

release-notes

https://github.com/heymrun/heym/pull/94

issue-tracking

https://github.com/heymrun/heym/commit/32b7e809d987d9b018ec8daa2cdaf48f627f26f1

patch

https://www.vulncheck.com/advisories/heym-sandbox-escape-via-python-introspection

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.