CVE-2026-21621

Name of the Vulnerable Software and Affected Versions hexpm versions prior to 71c127afebb7ed7cc637eb231b98feb802d62999

Description A flaw exists in the authorization process within the 'Elixir.HexpmWeb.API.OAuthController' module of hexpm, potentially leading to privilege escalation. Specifically, when exchanging a read-only API key using the OAuth client credentials grant, the intended resource qualifier is disregarded. This results in a JWT being issued with broad "api" scope instead of the expected "api:read" scope. Consequently, the token is treated as having full API access. An attacker who obtains a victim's read-only API key and a valid TOTP code can exploit this to generate a new, unrestricted full-access API key that does not expire by default, enabling write operations like publishing, retiring, or modifying packages. The issue is associated with the program files lib/hexpm web/controllers/api/oauth controller.ex and the Elixir.HexpmWeb.API.OAuthController:validate scopes against key/2 routine.

Recommendations Update to version 71c127afebb7ed7cc637eb231b98feb802d62999 or later to address the incorrect scope assignment during OAuth token exchange.