CVE-2026-21621 — Incorrect Authorization vulnerability in hexpm hexpm/hexpm…

/HIGH
CVE Notify vulnerabilitycveidentity
CVE-2026-21621 — Incorrect Authorization vulnerability in hexpm hexpm/hexpm…

🚨 CVE-2026-21621 Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.

Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
cna.erlef.org

What This Means For You

  • New vulnerability disclosed — verify if your stack is exposed.
  • Supply chain risk — audit dependencies and third-party integrations.
  • Phishing or social engineering activity — brief your users and SOC team.

Related ATT&CK Techniques

T1078.004 Abuse of Cloud Account Privilege Escalation T1136.003 Cloud Account Privilege Escalation T1539 Steal Application Access Token Credential Access

Indicators of Compromise

IDTypeIndicator
CVE-2026-21621 Auth Bypass hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController, specifically the validate_scopes_against_key/2 function. The vulnerability allows a read-only API key to be escalated to full write access by ignoring the resource qualifier during the OAuth client_credentials grant, resulting in an overly broad 'api' scope in the JWT.
CVE-2026-21621 Privilege Escalation hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController. The vulnerability allows an attacker with a victim's read-only API key and TOTP code to create a new, unrestricted, non-expiring full-access API key.
CVE-2026-21621 Misconfiguration hexpm hexpm/hexpm, affected versions from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999. Vulnerable component: Elixir.HexpmWeb.API.OAuthController. The OAuth client_credentials grant incorrectly ignores the resource qualifier for read-only API keys, leading to an 'api' scope instead of 'api:read'.
🔎
Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic — straight from this vulnerability. Use /detect in the Intel Bot.
Open Intel Bot →
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
PublishedApril 06, 2026 at 20:27 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload

CVE-2026-6960 — The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-22678 — The Email Template Description Field Of The System And Serve Cross-Site Scripting (XSS)

CVE-2026-22678 — Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)

CVE-2026-47102 — LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma