Insufficient Data Verification Vulnerability in Hex Package Manager
CVE-2026-32148

8.9HIGH

Key Information:

Vendor: Hexpm
Status: Hex
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-32148?

The Hex package manager contains a vulnerability in the Hex.RemoteConverger module, which relates to insufficient verification of checksum integrity for dependencies. When dependency resolutions occur, the Hex.RemoteConverger.verify_resolved/2 function fails to implement checksum verification due to a data type mismatch between string-based dependency names in the lockfile and atom-based names utilized in the verification logic. This oversight permits attackers to bypass integrity checks, enabling them to replace dependencies with modified contents through local cache poisoning or compromised package registries without detection. Consequently, when packages are fetched from the registry, their checksums are validated; however, later mismatches between the lockfile and the resolved dependencies remain undetected, potentially leading to tampered package builds.

Affected Version(s)

hex 0.16.0 < 2.4.2

hex e01576f28c64af9fae6eb17e2dad30f6efcb303c

References

https://github.com/hexpm/hex/security/advisories/GHSA-hmv...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32148.html

https://osv.dev/vulnerability/EEF-CVE-2026-32148

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Paul Fleischer

Jonatan Männchen / EEF

Eric Meadows-Jönsson / Hex.pm

CVE-2026-32148 Data

JSON

Hexpm

What is CVE-2026-32148?

Affected Version(s)

References

CVSS V4

Timeline

Credit