Description
Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.

An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.

When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access.

If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.

This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.

This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
Published: 2026-03-05
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Mis-scoped OAuth Tokens
Action: Apply Patch
AI Analysis

Impact

An API key created with read‑only permissions (domain "api", resource "read") can be abused when exchanged via the OAuth client_credentials Grant. The server’s scope validation ignores the resource qualifier, resulting in a JWT that carries the broad "api" scope instead of the expected limited "api:read" scope. The incorrectly scoped token is then treated as a full‑access token, allowing an attacker to create new API keys with unrestricted permissions, perform write operations such as publishing or retiring packages, and potentially compromise the entire Hex.pm ecosystem. This flaw is a classic privilege escalation stemming from improper scope enforcement (CWE‑863).

Affected Systems

The vulnerability affects Hex.pm, the Elixir-based package manager powered by the hexpm:hexpm repository. It is present in all commits from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b up to, but excluding, commit 71c127afebb7ed7cc637eb231b98feb802d62999. The affected components are the OAuth controller logic within the Hex.pm web application.

Risk and Exploitability

With a CVSS score of 7 and an EPSS score of less than 1 %, the exploit likelihood is considered low but non‑zero, and the vulnerability is currently not listed in CISA’s KEV catalog. The attack requires the attacker to possess a victim’s read‑only API key and a valid two‑factor authentication code for that account. Once those credentials are in hand, the attacker can trigger the client_credentials flow, receive a mis‑scoped JWT, and generate a new full‑access API key that does not expire by default. The risk is thus confined to accounts for which the attacker can procure both basic credential and 2FA, but the impact of such a token is system‑wide, enabling arbitrary package modifications and potential compromise of all dependent services.

Generated by OpenCVE AI on April 15, 2026 at 22:43 UTC.

Remediation

Vendor Workaround

* Revoke and reissue exposed API keys immediately if compromise is suspected. * Avoid relying on read-only API keys as a strict security boundary in high-risk environments. * Closely monitor audit logs for unexpected API key creation events. * Enforce strong 2FA hygiene and protect TOTP seeds carefully. There is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic.

OpenCVE Recommended Actions

  • Upgrade Hex.pm to commit 71c127afebb7ed7cc637eb231b98feb802d62999 or later
  • Revoke any exposed read‑only API keys immediately
  • Reissue new API keys with intended permissions and enforce strong 2FA hygiene

Generated by OpenCVE AI on April 15, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Hex
Hex hexpm
CPEs cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*
Vendors & Products Hex
Hex hexpm
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions. When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access. If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages. This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2. This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
Title Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
First Time appeared Hexpm
Hexpm hexpm
Weaknesses CWE-863
CPEs cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*
Vendors & Products Hexpm
Hexpm hexpm
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N'}

Subscriptions

Hex Hexpm
Hexpm Hexpm
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:09.535Z

Reserved: 2026-01-01T03:46:45.934Z

Link: CVE-2026-21621

cve-icon Vulnrichment

Updated: 2026-03-06T18:03:49.562Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T20:16:12.617

Modified: 2026-04-06T17:17:07.550

Link: CVE-2026-21621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses