Description
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Published: 2026-05-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heym versions before 0.0.21 allow an authenticated workflow author to escape the sandbox by using Python introspection to retrieve the unrestricted __import__ function. This path permits the import of normally blocked modules such as os and subprocess, enabling the execution of arbitrary host commands. Consequently, an attacker can read sensitive environment variables that contain database credentials or encryption keys and run commands as the backend service user, compromising confidentiality, integrity, and availability of the underlying host system.

Affected Systems

All deployments of the Heym tool runner earlier than version 0.0.21 (e.g., 0.0.20 and older) are affected. The advisory references a release of 0.0.21 that addresses the issue, so any installation using a pre‑0.0.21 build is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability that, if exploited, grants full command execution on the host. The EPSS for this flaw is not available, so the current exploit probability cannot be quantified, but the lack of inclusion in the CISA KEV catalog does not reduce its inherent risk. Attackers must be authenticated workflow authors to reach the vulnerable code path; once this condition is met, they can achieve remote code execution with the privileges of the backend service. The combination of a high CVSS score and the ability to recover all forbidden modules makes exploitation both feasible and dangerous.

Generated by OpenCVE AI on May 12, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Heym 0.0.21 or later, which removes the vulnerable introspection code
  • If an upgrade is not immediately possible, disable the custom Python tool executor or restrict the set of users who can create or run workflows
  • Where feasible, reconfigure the backend environment to avoid exposing sensitive credentials or remove unrelated environment variables so that even if a command is executed, secrets are not accessible

Generated by OpenCVE AI on May 12, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Heymrun
Heymrun heym
Vendors & Products Heymrun
Heymrun heym

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Title Heym < 0.0.21 Sandbox Escape via Python Introspection
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Heymrun Heym
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T12:33:20.477Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45227

cve-icon Vulnrichment

Updated: 2026-05-14T12:33:10.981Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T22:16:38.260

Modified: 2026-05-14T13:16:20.490

Link: CVE-2026-45227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:25Z

Weaknesses