CVE-2026-45226 HIGH

CVE-2026-45226: Heym < 0.0.21 Authorization Bypass in Workflow Execution

Vendor Heymrun
Product heym
Weakness CWE-863 · Incorrect authorization
Published May 12, 2026
Last update May 13, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 13, 2026 Record updated