CVE-2026-21621

{"id": "CVE-2026-21621", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T20:16:12.617", "references": [{"url": "https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en hexpm hexpm/hexpm (m\u00f3dulo 'Elixir.HexpmWeb.API.OAuthController') permite la escalada de privilegios.\n\nUna clave API creada con permisos de solo lectura (dominio: \"api\", recurso: \"read\") puede ser escalada a acceso completo de escritura bajo condiciones espec\u00edficas.\n\nAl intercambiar una clave API de solo lectura a trav\u00e9s de la concesi\u00f3n OAuth client_credentials, el calificador de recurso es ignorado. El JWT resultante recibe el \u00e1mbito amplio \"api\" en lugar del \u00e1mbito esperado \"api:read\". Este token es, por lo tanto, tratado como si tuviera acceso completo a la API.\n\nSi un atacante es capaz de obtener una clave API de solo lectura de una v\u00edctima y un c\u00f3digo 2FA (TOTP) v\u00e1lido para la cuenta de la v\u00edctima, pueden usar el JWT con \u00e1mbito incorrecto para crear una nueva clave API de acceso completo con permisos de API ilimitados que no expira por defecto y puede realizar operaciones de escritura como publicar, retirar o modificar paquetes.\n\nEsta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/hexpm_web/controllers/api/oauth_controller.ex y las rutinas de programa 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nEste problema afecta a hexpm: desde 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b antes de 71c127afebb7ed7cc637eb231b98feb802d62999."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}