← Volver a CVEs
CVE-2026-45227
HIGH8.8
Descripcion
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado5/12/2026
Ultima modificacion5/13/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-693
Referencias
https://github.com/heymrun/heym/commit/32b7e809d987d9b018ec8daa2cdaf48f627f26f1(disclosure@vulncheck.com)
https://github.com/heymrun/heym/pull/94(disclosure@vulncheck.com)
https://github.com/heymrun/heym/releases/tag/v0.0.21(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/heym-sandbox-escape-via-python-introspection(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.