Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-21621 is an Incorrect Authorization vulnerability in the hexpm package manager\'s OAuth client_credentials flow. It occurs because the system improperly ignores the resource qualifier when exchanging a read-only API key, causing the issued JWT token to have a broad "api" scope instead of the restricted "api:read" scope.'}, {'type': 'paragraph', 'content': "This means that an API key created with read-only permissions can be escalated to full write access under specific conditions. If an attacker obtains a victim's read-only API key and a valid two-factor authentication (2FA) TOTP code, they can use the improperly scoped JWT to create a new full-access API key with unrestricted permissions that does not expire by default."}, {'type': 'paragraph', 'content': 'The vulnerability was caused by the function `validate_scopes_against_key/2` ignoring the resource field within the "api" domain, always allowing the broad "api" scope regardless of the key\'s restrictions. The fix involved properly validating scopes against the key\'s permissions to prevent privilege escalation.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to privilege escalation from read-only API access to full write access. An attacker who obtains a victim's read-only API key and valid 2FA code can create a new API key with unrestricted permissions."}, {'type': 'list_item', 'content': 'The attacker can perform write operations such as publishing, retiring, or modifying packages.'}, {'type': 'list_item', 'content': 'The new API key created does not expire by default, allowing persistent unauthorized access.'}, {'type': 'paragraph', 'content': 'This can compromise the integrity of the package repository and potentially disrupt software supply chains relying on hexpm.'}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unusual API key usage and creation patterns, especially the creation of new full-access API keys from read-only API keys.'}, {'type': 'paragraph', 'content': 'Specifically, you should audit logs for any unexpected API key creation events that grant unrestricted permissions, which may indicate exploitation of the OAuth client_credentials scope escalation.'}, {'type': 'paragraph', 'content': 'Commands or methods to detect this might include:'}, {'type': 'list_item', 'content': 'Review API key creation logs for new keys with full write permissions that were generated recently.'}, {'type': 'list_item', 'content': 'Check OAuth token issuance logs to identify tokens issued with broad "api" scope when only "api:read" scope was expected.'}, {'type': 'list_item', 'content': 'Use system or application log search commands such as `grep` or `jq` on JSON logs to filter for suspicious API key or token creation events.'}, {'type': 'list_item', 'content': 'Example command to search logs for API key creation events with full access (assuming JSON logs): `jq \'.event == "api_key_created" and .permissions == "api"\' /var/log/hexpm.log`'}, {'type': 'list_item', 'content': 'Monitor for usage of read-only API keys that suddenly perform write operations, which can be detected by analyzing API request logs.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include revoking and reissuing any exposed API keys, especially those with read-only permissions that might have been escalated.

Avoid relying on read-only API keys as strict security boundaries until the vulnerability is fully patched.

Monitor audit logs closely for unexpected API key creation or usage patterns that could indicate exploitation.

Enforce strong two-factor authentication (2FA) hygiene to reduce the risk of attackers obtaining valid 2FA codes.

Ultimately, apply the official patch that fixes the scope validation logic in the OAuth client_credentials flow to fully resolve the issue.

Useful 0 Not Useful 0