CVE-2026-32148

Name of the Vulnerable Software and Affected Versions hex versions 0.16.0 through 2.4.1

Description Insufficient Verification of Data Authenticity in the Hex.RemoteConverger module allows for a dependency integrity bypass. The Hex.RemoteConverger.verify resolved/2 function fails to execute checksum verification because of a type mismatch: Hex.Utils.lock/1 returns string-based dependency names, whereas the verification logic expects atom-based names. This causes the verification process to be silently skipped. While checksums are validated during the initial download from the registry, discrepancies between the lockfile and resolved dependencies are not detected. An attacker capable of influencing cached packages, such as through local cache poisoning or a compromised registry, could provide modified dependency contents that are accepted without detection, as the mix.lock file is silently updated with the registry's checksums.

Recommendations Update to version 2.4.2.