{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T05:51:18.973","vulnerabilities":[{"cve":{"id":"CVE-2026-21621","sourceIdentifier":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","published":"2026-03-05T20:16:12.617","lastModified":"2026-04-06T17:17:07.550","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."},{"lang":"es","value":"Vulnerabilidad de autorización incorrecta en hexpm hexpm/hexpm (módulo 'Elixir.HexpmWeb.API.OAuthController') permite la escalada de privilegios.\n\nUna clave API creada con permisos de solo lectura (dominio: \"api\", recurso: \"read\") puede ser escalada a acceso completo de escritura bajo condiciones específicas.\n\nAl intercambiar una clave API de solo lectura a través de la concesión OAuth client_credentials, el calificador de recurso es ignorado. El JWT resultante recibe el ámbito amplio \"api\" en lugar del ámbito esperado \"api:read\". Este token es, por lo tanto, tratado como si tuviera acceso completo a la API.\n\nSi un atacante es capaz de obtener una clave API de solo lectura de una víctima y un código 2FA (TOTP) válido para la cuenta de la víctima, pueden usar el JWT con ámbito incorrecto para crear una nueva clave API de acceso completo con permisos de API ilimitados que no expira por defecto y puede realizar operaciones de escritura como publicar, retirar o modificar paquetes.\n\nEsta vulnerabilidad está asociada con los archivos de programa lib/hexpm_web/controllers/api/oauth_controller.ex y las rutinas de programa 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.\n\nEste problema afecta a hexpm: desde 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b antes de 71c127afebb7ed7cc637eb231b98feb802d62999."}],"metrics":{"cvssMetricV40":[{"source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":3.6}]},"weaknesses":[{"source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*","versionStartIncluding":"2025-10-17","versionEndExcluding":"2026-03-05","matchCriteriaId":"C693BC16-457B-49B1-B9C7-99C1BB65EBC8"}]}]}],"references":[{"url":"https://cna.erlef.org/cves/CVE-2026-21621.html","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db"},{"url":"https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":["Patch"]},{"url":"https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":["Mitigation","Vendor Advisory"]},{"url":"https://osv.dev/vulnerability/EEF-CVE-2026-21621","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}]}}]}