CVE-2026-21621

Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions. When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access. If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages. This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2. This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999	Patch
https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 20:16

Updated : 2026-03-25 01:17

NVD link : CVE-2026-21621

Mitre link : CVE-2026-21621

CVE.ORG link : CVE-2026-21621

JSON object : View

Products Affected

hex

hexpm

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-21621", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}], "cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T20:16:12.617", "references": [{"url": "https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999", "tags": ["Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3", "tags": ["Mitigation", "Vendor Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en hexpm hexpm/hexpm (m\u00f3dulo 'Elixir.HexpmWeb.API.OAuthController') permite la escalada de privilegios.\n\nUna clave API creada con permisos de solo lectura (dominio: \"api\", recurso: \"read\") puede ser escalada a acceso completo de escritura bajo condiciones espec\u00edficas.\n\nAl intercambiar una clave API de solo lectura a trav\u00e9s de la concesi\u00f3n OAuth client_credentials, el calificador de recurso es ignorado. El JWT resultante recibe el \u00e1mbito amplio \"api\" en lugar del \u00e1mbito esperado \"api:read\". Este token es, por lo tanto, tratado como si tuviera acceso completo a la API.\n\nSi un atacante es capaz de obtener una clave API de solo lectura de una v\u00edctima y un c\u00f3digo 2FA (TOTP) v\u00e1lido para la cuenta de la v\u00edctima, pueden usar el JWT con \u00e1mbito incorrecto para crear una nueva clave API de acceso completo con permisos de API ilimitados que no expira por defecto y puede realizar operaciones de escritura como publicar, retirar o modificar paquetes.\n\nEsta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/hexpm_web/controllers/api/oauth_controller.ex y las rutinas de programa 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nEste problema afecta a hexpm: desde 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b antes de 71c127afebb7ed7cc637eb231b98feb802d62999."}], "lastModified": "2026-03-25T01:17:21.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C693BC16-457B-49B1-B9C7-99C1BB65EBC8", "versionEndExcluding": "2026-03-05", "versionStartIncluding": "2025-10-17"}], "operator": "OR"}]}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}