Improper Authorization in Hexpm API Leading to Privilege Escalation
CVE-2026-21621

7HIGH

Key Information:

Vendor: Hexpm
Status: Hexpm; Hex.pm
Vendor: CVE Published:; 5 March 2026

What is CVE-2026-21621?

The Hexpm API has a vulnerability in the OAuthController that improperly handles read-only API keys. This flaw allows an attacker who manages to obtain such a key and a valid 2FA code to escalate their access level. When exchanging a read-only API key using the OAuth client_credentials grant, the intended resource scope is overlooked, allowing the JWT to be assigned a broad API access scope instead of the restricted read scope. As a result, attackers can generate an unrestricted API key for write operations, which could lead to malicious activities like publishing or modifying packages without detection.

Affected Version(s)

hex.pm 2025-08-18 < 2026-03-05

hexpm 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b < 71c127afebb7ed7cc637eb231b98feb802d62999

References

https://github.com/hexpm/hexpm/security/advisories/GHSA-7...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-21621.html

https://osv.dev/vulnerability/EEF-CVE-2026-21621

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Michael Lubas / Paraxial.io

Jonatan Männchen / EEF

CVE-2026-21621 Data

JSON