CVE-2026-21622 — Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm…

/HIGH
CVE Notify vulnerabilitycvedata-breachidentity
CVE-2026-21622 — Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm…

🚨 CVE-2026-21622 Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email con

Password Reset Tokens Do Not Expire
cna.erlef.org

What This Means For You

  • New vulnerability disclosed — verify if your stack is exposed.
  • Data exposure reported — check if your organization or users are affected.

Related ATT&CK Techniques

T1110.004 Password Reset: Abuse of Functionality Initial Access T1539 Steal Application Access Token Credential Access

Indicators of Compromise

IDTypeIndicator
CVE-2026-21622 hexpm hexpm/hexpm: Insufficient Session Expiration in 'Elixir.Hexpm.Accounts.PasswordReset' module. Password reset tokens do not expire, allowing attackers to use leaked tokens to reset victim passwords. Affected versions: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.
CVE-2026-21622 Information Disclosure hexpm hexpm/hexpm: Insufficient Session Expiration vulnerability in 'Elixir.Hexpm.Accounts.PasswordReset' module. Password reset tokens remain valid indefinitely until used. This can lead to account takeover if historical emails containing these tokens are exposed.
CVE-2026-21622 Code Injection hexpm hexpm/hexpm: Vulnerable component 'Elixir.Hexpm.Accounts.PasswordReset' module, specifically routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3 and program files lib/hexpm/accounts/password_reset.ex. Password reset tokens do not expire.
🔎
Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic — straight from this vulnerability. Use /detect in the Intel Bot.
Open Intel Bot →
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
PublishedApril 06, 2026 at 20:27 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4843 — The GSheet For Woo Importer plugin for WordPress is

CVE-2026-4843 — The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

IINA CVE-2026-47114: macOS Command Execution via Malicious URL

CVE-2026-47114 — IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters...

vulnerabilityCVEhigh-severitycwe-88
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma
Featured

Daily Security Digest — 2026-05-21

48 vulnerability disclosures (6 Critical, 42 High) and 20 curated intelligence stories from 7 sources.

daily-digestvulnerabilityCVEcriticalhigh-severitybuffer-overflowcwe-122sql-injectioncwe-89cwe-121
/SCW Daily Digest /CRITICAL