CVE-2026-21622

Name of the Vulnerable Software and Affected Versions hexpm versions prior to bb0e42091995945deef10556f58d046a52eb7884

Description A flaw exists in hexpm that allows for account takeover due to insufficient session expiration. Specifically, password reset tokens generated through the password reset functionality do not expire, remaining valid indefinitely. An attacker gaining access to a previously leaked email containing a valid password reset token can exploit this to reset a victim's password without needing current access to the victim’s email account. The vulnerable code resides in the Elixir.Hexpm.Accounts.PasswordReset module and the can reset?/3 function.

Recommendations Update hexpm to version bb0e42091995945deef10556f58d046a52eb7884 or later.