← Voltar para CVEs
CVE-2026-45227
HIGH8.8
Descricao
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Detalhes CVE
Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado5/12/2026
Ultima modificacao5/12/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-693
Referencias
https://github.com/heymrun/heym/commit/32b7e809d987d9b018ec8daa2cdaf48f627f26f1(disclosure@vulncheck.com)
https://github.com/heymrun/heym/pull/94(disclosure@vulncheck.com)
https://github.com/heymrun/heym/releases/tag/v0.0.21(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/heym-sandbox-escape-via-python-introspection(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.