CVE-2026-21622

Published: Mar 05, 2026 Last Modified: Mar 09, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,5
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover.

Password reset tokens generated via the 'Reset your password' flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.

If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email.

This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3.

This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 10 Days)

613

Insufficient Session Expiration

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://github.com/hexpm/hexpm/commit/bb0e42091995945deef10…
https://github.com/hexpm/hexpm/commit/bb0e42091995945deef10556f58d046a52eb7884
https://github.com/hexpm/hexpm/security/advisories/GHSA-6r9…
https://github.com/hexpm/hexpm/security/advisories/GHSA-6r94-pvwf-mxqm