CVE-2026-21621 (GCVE-0-2026-21621)
Vulnerability from cvelistv5 – Published: 2026-03-05 19:20 – Updated: 2026-03-07 03:48
VLAI?
Title
Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Summary
Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.
An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.
When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access.
If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.
This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.
This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hexpm | hexpm |
Affected:
71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b , < 71c127afebb7ed7cc637eb231b98feb802d62999
(git)
Affected: pkg:github/hexpm/hexpm@71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b , < pkg:github/hexpm/hexpm@71c127afebb7ed7cc637eb231b98feb802d62999 (purl) cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:* |
||
Credits
Michael Lubas / Paraxial.io
Jonatan Männchen / EEF
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:03:45.435445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:03:52.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.HexpmWeb.API.OAuthController\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm_web/controllers/api/oauth_controller.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "71c127afebb7ed7cc637eb231b98feb802d62999",
"status": "affected",
"version": "71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b",
"versionType": "git"
},
{
"lessThan": "pkg:github/hexpm/hexpm@71c127afebb7ed7cc637eb231b98feb802d62999",
"status": "affected",
"version": "pkg:github/hexpm/hexpm@71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b",
"versionType": "purl"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-03-05",
"status": "affected",
"version": "2025-08-18",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "71c127afebb7ed7cc637eb231b98feb802d62999",
"versionStartIncluding": "71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.io"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\u003cp\u003eAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\u003c/p\u003e\u003cp\u003eWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\u003c/p\u003e\u003cp\u003eIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm_web/controllers/api/oauth_controller.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T03:48:46.180Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eRevoke and reissue exposed API keys immediately if compromise is suspected.\u003c/li\u003e\u003cli\u003eAvoid relying on read-only API keys as a strict security boundary in high-risk environments.\u003c/li\u003e\u003cli\u003eClosely monitor audit logs for unexpected API key creation events.\u003c/li\u003e\u003cli\u003eEnforce strong 2FA hygiene and protect TOTP seeds carefully.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic.\u003c/p\u003e"
}
],
"value": "* Revoke and reissue exposed API keys immediately if compromise is suspected.\n* Avoid relying on read-only API keys as a strict security boundary in high-risk environments.\n* Closely monitor audit logs for unexpected API key creation events.\n* Enforce strong 2FA hygiene and protect TOTP seeds carefully.\n\nThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21621",
"datePublished": "2026-03-05T19:20:05.831Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-03-07T03:48:46.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-21621\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-03-05T20:16:12.617\",\"lastModified\":\"2026-03-09T13:36:08.413\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\\n\\nAn API key created with read-only permissions (domain: \\\"api\\\", resource: \\\"read\\\") can be escalated to full write access under specific conditions.\\n\\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \\\"api\\\" scope instead of the expected \\\"api:read\\\" scope. This token is therefore treated as having full API access.\\n\\nIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\\n\\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\\n\\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de autorizaci\u00f3n incorrecta en hexpm hexpm/hexpm (m\u00f3dulo \u0027Elixir.HexpmWeb.API.OAuthController\u0027) permite la escalada de privilegios.\\n\\nUna clave API creada con permisos de solo lectura (dominio: \\\"api\\\", recurso: \\\"read\\\") puede ser escalada a acceso completo de escritura bajo condiciones espec\u00edficas.\\n\\nAl intercambiar una clave API de solo lectura a trav\u00e9s de la concesi\u00f3n OAuth client_credentials, el calificador de recurso es ignorado. El JWT resultante recibe el \u00e1mbito amplio \\\"api\\\" en lugar del \u00e1mbito esperado \\\"api:read\\\". Este token es, por lo tanto, tratado como si tuviera acceso completo a la API.\\n\\nSi un atacante es capaz de obtener una clave API de solo lectura de una v\u00edctima y un c\u00f3digo 2FA (TOTP) v\u00e1lido para la cuenta de la v\u00edctima, pueden usar el JWT con \u00e1mbito incorrecto para crear una nueva clave API de acceso completo con permisos de API ilimitados que no expira por defecto y puede realizar operaciones de escritura como publicar, retirar o modificar paquetes.\\n\\nEsta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/hexpm_web/controllers/api/oauth_controller.ex y las rutinas de programa \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\\n\\nEste problema afecta a hexpm: desde 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b antes de 71c127afebb7ed7cc637eb231b98feb802d62999.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21621\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:03:45.435445Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:03:49.562Z\"}}], \"cna\": {\"title\": \"Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Michael Lubas / Paraxial.io\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jonatan M\\u00e4nnchen / EEF\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/hexpm/hexpm.git\", \"vendor\": \"hexpm\", \"modules\": [\"\u0027Elixir.HexpmWeb.API.OAuthController\u0027\"], \"product\": \"hexpm\", \"versions\": [{\"status\": \"affected\", \"version\": \"71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b\", \"lessThan\": \"71c127afebb7ed7cc637eb231b98feb802d62999\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"pkg:github/hexpm/hexpm@71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b\", \"lessThan\": \"pkg:github/hexpm/hexpm@71c127afebb7ed7cc637eb231b98feb802d62999\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:github/hexpm/hexpm\", \"packageName\": \"hexpm/hexpm\", \"programFiles\": [\"lib/hexpm_web/controllers/api/oauth_controller.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2\"}]}, {\"vendor\": \"hexpm\", \"product\": \"hex.pm\", \"versions\": [{\"status\": \"affected\", \"version\": \"2025-08-18\", \"lessThan\": \"2026-03-05\", \"versionType\": \"date\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"* Revoke and reissue exposed API keys immediately if compromise is suspected.\\n* Avoid relying on read-only API keys as a strict security boundary in high-risk environments.\\n* Closely monitor audit logs for unexpected API key creation events.\\n* Enforce strong 2FA hygiene and protect TOTP seeds carefully.\\n\\nThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eRevoke and reissue exposed API keys immediately if compromise is suspected.\u003c/li\u003e\u003cli\u003eAvoid relying on read-only API keys as a strict security boundary in high-risk environments.\u003c/li\u003e\u003cli\u003eClosely monitor audit logs for unexpected API key creation events.\u003c/li\u003e\u003cli\u003eEnforce strong 2FA hygiene and protect TOTP seeds carefully.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\\n\\nAn API key created with read-only permissions (domain: \\\"api\\\", resource: \\\"read\\\") can be escalated to full write access under specific conditions.\\n\\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \\\"api\\\" scope instead of the expected \\\"api:read\\\" scope. This token is therefore treated as having full API access.\\n\\nIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\\n\\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\\n\\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\u003cp\u003eAn API key created with read-only permissions (domain: \\\"api\\\", resource: \\\"read\\\") can be escalated to full write access under specific conditions.\u003c/p\u003e\u003cp\u003eWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \\\"api\\\" scope instead of the expected \\\"api:read\\\" scope. This token is therefore treated as having full API access.\u003c/p\u003e\u003cp\u003eIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm_web/controllers/api/oauth_controller.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"71c127afebb7ed7cc637eb231b98feb802d62999\", \"versionStartIncluding\": \"71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b\"}], \"operator\": \"AND\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-03-07T03:48:46.180Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21621\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-07T03:48:46.180Z\", \"dateReserved\": \"2026-01-01T03:46:45.934Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-03-05T19:20:05.831Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…