High severity7.1NVD Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-45226

Description

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Affected products

Heymrun/Heymreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8nvd
github.com/heymrun/heym/pull/93nvd
github.com/heymrun/heym/releases/tag/v0.0.21nvd
www.vulncheck.com/advisories/heym-authorization-bypass-in-workflow-executionnvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000