CVE-2026-21621
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
05/03/2026
Última modificación:
05/03/2026
Descripción
*** Pendiente de traducción *** Incorrect Authorization vulnerability in hexpm hexpm/hexpm (&#39;Elixir.HexpmWeb.API.OAuthController&#39; module) allows Privilege Escalation.<br />
<br />
An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.<br />
<br />
When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access.<br />
<br />
If an attacker is able to obtain a victim&#39;s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.<br />
<br />
This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines &#39;Elixir.HexpmWeb.API.OAuthController&#39;:validate_scopes_against_key/2.<br />
<br />
This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
Impacto
Puntuación base 4.0
7.00
Gravedad 4.0
ALTA