Authorization Bypass in Heym Workflow Execution by Heymrun
CVE-2026-45226

7.6HIGH

Key Information:

Vendor

Heymrun

Status
Heym
Vendor
CVE Published:
12 May 2026

What is CVE-2026-45226?

Heym, a workflow automation tool by Heymrun, has an authorization bypass vulnerability that allows authenticated users to execute arbitrary workflows. This occurs due to insufficient access validation when referencing victim workflow UUIDs, enabling attackers to initiate workflows with execute nodes or subWorkflowIds linked to these UUIDs. As a result, attackers can load and execute targeted workflows through unintended execution paths, which may expose sensitive outputs and trigger adverse effects in the victim workflows.

Affected Version(s)

heym 0

heym 0 < 0.0.21

heym 3ae3ef6a7d3609da0e910f9ed6b81e99a1661ac8

References

https://github.com/heymrun/heym/releases/tag/v0.0.21
release-notes
https://github.com/heymrun/heym/pull/93
issue-tracking
https://github.com/heymrun/heym/commit/3ae3ef6a7d3609da0e...
patch

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.