CVE-2026-21621 — Incorrect Authorization vulnerability in hexpm hexpm/hexpm…
🚨 CVE-2026-21621 Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.
Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
cna.erlef.org
What This Means For You
- New vulnerability disclosed — verify if your stack is exposed.
- Supply chain risk — audit dependencies and third-party integrations.
- Phishing or social engineering activity — brief your users and SOC team.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-21621 | Auth Bypass | hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController, specifically the validate_scopes_against_key/2 function. The vulnerability allows a read-only API key to be escalated to full write access by ignoring the resource qualifier during the OAuth client_credentials grant, resulting in an overly broad 'api' scope in the JWT. |
| CVE-2026-21621 | Privilege Escalation | hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController. The vulnerability allows an attacker with a victim's read-only API key and TOTP code to create a new, unrestricted, non-expiring full-access API key. |
| CVE-2026-21621 | Misconfiguration | hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController. The OAuth client_credentials grant incorrectly ignores the resource qualifier for read-only API keys, leading to an 'api' scope instead of 'api:read'. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158190 |
| Published | April 06, 2026 at 20:27 UTC |
| Original Link | https://cna.erlef.org/cves/CVE-2026-21621.html |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us on LinkedIn to stay ahead.
Share