Auth bypass in Hexpm Hex.pm

CVE-2026-21621

Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to ful…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.2th percentile) — read the EPSS interpretation.

Affected products

Hexpm Hex.pm — versions 2025-08-18
Hexpm — versions 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3 (vendor-advisory, related)
cna.erlef.org/cves/CVE-2026-21621.html (related)
osv.dev/vulnerability/EEF-CVE-2026-21621 (related)
github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999 (patch)