Insufficient Session Expiration in HexPM Affects User Account Security
CVE-2026-21622

9.5CRITICAL

Key Information:

Vendor: Hexpm
Status: Hexpm; Hex.pm
Vendor: CVE Published:; 5 March 2026

What is CVE-2026-21622?

In HexPM's password reset mechanism, the tokens generated for resetting passwords do not expire, creating a significant security risk. Attackers can exploit this vulnerability if they gain access to historical emails that contained password reset tokens. Since these tokens are valid indefinitely, they can be used to reset a victim's password—even without current access to the victim's email account. The absence of time-based expiration for the password reset links exposes users to potential account takeovers, particularly if their past correspondence is compromised. Addressing this issue is crucial for maintaining the integrity of user accounts.

Affected Version(s)

hex.pm 2025-08-01 < 2026-03-05

hexpm 617e44c71f1dd9043870205f371d375c5c4d886d

References

https://github.com/hexpm/hexpm/security/advisories/GHSA-6...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-21622.html

https://osv.dev/vulnerability/EEF-CVE-2026-21622

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Michael Lubas / Paraxial.io

Jonatan Männchen / EEF

Eric Meadows-Jönsson / Hex.pm

CVE-2026-21622 Data

JSON