CVE-2026-21622 — Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm…

/HIGH
CVE Notify vulnerabilitycvedata-breachidentity
CVE-2026-21622 — Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm…

🚨 CVE-2026-21622 Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email con

Password Reset Tokens Do Not Expire
cna.erlef.org

What This Means For You

  • New vulnerability disclosed — verify if your stack is exposed.
  • Data exposure reported — check if your organization or users are affected.

Related ATT&CK Techniques

T1110.004 Password Reset: Abuse of Functionality Initial Access T1539 Steal Application Access Token Credential Access

Indicators of Compromise

IDTypeIndicator
CVE-2026-21622 hexpm hexpm/hexpm: Insufficient Session Expiration in 'Elixir.Hexpm.Accounts.PasswordReset' module. Password reset tokens do not expire, allowing attackers to use leaked tokens to reset victim passwords. Affected versions: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.
CVE-2026-21622 Information Disclosure hexpm hexpm/hexpm: Insufficient Session Expiration vulnerability in 'Elixir.Hexpm.Accounts.PasswordReset' module. Password reset tokens remain valid indefinitely until used. This can lead to account takeover if historical emails containing these tokens are exposed.
CVE-2026-21622 Code Injection hexpm hexpm/hexpm: Vulnerable component 'Elixir.Hexpm.Accounts.PasswordReset' module, specifically routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3 and program files lib/hexpm/accounts/password_reset.ex. Password reset tokens do not expire.
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
Channel ID1129491012
Message ID158191
PublishedApril 06, 2026 at 20:27 UTC
Original Linkhttps://cna.erlef.org/cves/CVE-2026-21622.html

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Found this interesting? Follow us on LinkedIn to stay ahead.

Follow Shimi Cohen Follow Shimi's Cyber World
Share
LinkedIn WhatsApp Reddit