Skip to content
Threat Feed
high advisory

Heym Authorization Bypass Vulnerability CVE-2026-45226

Heym before 0.0.21 contains an authorization bypass vulnerability (CVE-2026-45226) that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs, leading to exposure of outputs and unintended side effects.

Heym before version 0.0.21 is vulnerable to an authorization bypass, as identified by CVE-2026-45226. This flaw allows authenticated users to bypass access controls and execute arbitrary workflows. The vulnerability stems from a lack of proper access validation when referencing workflow UUIDs. Attackers can exploit this by creating malicious workflows that reference UUIDs of victim workflows, enabling them to load and execute these workflows under attacker-controlled execution paths. This leads to potential exposure of sensitive victim workflow outputs and unintended triggering of workflow nodes with adverse side effects. This vulnerability poses a significant risk to the confidentiality and integrity of workflows within Heym environments.

Attack Chain

  1. An attacker authenticates to a Heym instance.
  2. The attacker identifies a victim workflow and obtains its UUID.
  3. The attacker creates a new workflow containing either an “execute” node or an “agent subWorkflowId”.
  4. Within the “execute” node or “agent subWorkflowId”, the attacker references the victim workflow’s UUID.
  5. The attacker executes their newly crafted workflow.
  6. Due to the authorization bypass, the Heym system loads and executes the victim workflow under the attacker’s execution context.
  7. The attacker gains access to the victim workflow’s outputs.
  8. Workflow nodes within the victim workflow are triggered with unintended side effects, potentially causing further damage.

Impact

Successful exploitation of CVE-2026-45226 allows an attacker to execute arbitrary workflows without proper authorization. This can lead to the exposure of sensitive data contained within the victim workflows, as well as the unintended triggering of workflow nodes, potentially causing data corruption or other malicious side effects. The vulnerability affects Heym instances before version 0.0.21 and poses a risk to the confidentiality, integrity, and availability of workflow data.

Recommendation

  • Upgrade Heym to version 0.0.21 or later to patch CVE-2026-45226.
  • Deploy the Sigma rule “Detect Heym Workflow Execution with Subworkflow UUID” to identify potentially malicious workflow executions.
  • Monitor Heym logs for unauthorized workflow executions referencing unusual or suspicious workflow UUIDs.

Detection coverage 2

Detect Heym Workflow Execution with Subworkflow UUID

high

Detects Heym workflow executions that include a subworkflow UUID, potentially indicating an authorization bypass attempt (CVE-2026-45226).

sigma tactics: privilege_escalation techniques: T1555 sources: process_creation, linux

Detect Heym Malicious Workflow Creation via API

medium

Detects the creation of potentially malicious workflows by monitoring API requests containing subworkflow UUIDs (CVE-2026-45226).

sigma tactics: privilege_escalation techniques: T1555 sources: webserver

Detection queries are available on the platform. Get full rules →