Heym before version 0.0.21 contains an authorization bypass that permits any authenticated user to trigger the execution of arbitrary workflows by referencing another user's workflow UUID. The flaw lies in the lack of proper access validation when resolving workflow identifiers for execute nodes or agent subWorkflowIds. When exploited, an attacker can craft workflows that load and run victim workflows under attacker‑controlled execution paths, thereby exposing victim outputs and potentially invoking side‑effecting nodes. This grants the attacker the ability to execute arbitrary actions defined in the victim's workflow, effectively bypassing intended isolation and confidentiality controls.

The vulnerability affects the Heym platform, specifically all releases prior to 0.0.21. Users running any version below 0.0.21 should consider themselves potentially impacted. The vendor’s changelog indicates that version 0.0.21 includes the remediation for this issue.

The CVSS score of 7.6 classifies it as High severity. No EPSS score is available and it is not listed in CISA’s KEV catalog, suggesting no widespread exploit activity has been observed yet. The attack vector is likely local or network-based, requiring an attacker to first authenticate within the Heym system. Once authenticated, the attacker can submit crafted workflow payloads and trigger the bypass, leading to unintended execution of arbitrary workflow logic.