FKIE_CVE-2026-21621

Vulnerability from fkie_nvd - Published: 2026-03-05 20:16 - Updated: 2026-03-09 13:36
Severity ?
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N
Summary
Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions. When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access. If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages. This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2. This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
References
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en hexpm hexpm/hexpm (m\u00f3dulo \u0027Elixir.HexpmWeb.API.OAuthController\u0027) permite la escalada de privilegios.\n\nUna clave API creada con permisos de solo lectura (dominio: \"api\", recurso: \"read\") puede ser escalada a acceso completo de escritura bajo condiciones espec\u00edficas.\n\nAl intercambiar una clave API de solo lectura a trav\u00e9s de la concesi\u00f3n OAuth client_credentials, el calificador de recurso es ignorado. El JWT resultante recibe el \u00e1mbito amplio \"api\" en lugar del \u00e1mbito esperado \"api:read\". Este token es, por lo tanto, tratado como si tuviera acceso completo a la API.\n\nSi un atacante es capaz de obtener una clave API de solo lectura de una v\u00edctima y un c\u00f3digo 2FA (TOTP) v\u00e1lido para la cuenta de la v\u00edctima, pueden usar el JWT con \u00e1mbito incorrecto para crear una nueva clave API de acceso completo con permisos de API ilimitados que no expira por defecto y puede realizar operaciones de escritura como publicar, retirar o modificar paquetes.\n\nEsta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/hexpm_web/controllers/api/oauth_controller.ex y las rutinas de programa \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\n\nEste problema afecta a hexpm: desde 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b antes de 71c127afebb7ed7cc637eb231b98feb802d62999."
    }
  ],
  "id": "CVE-2026-21621",
  "lastModified": "2026-03-09T13:36:08.413",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T20:16:12.617",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.