CVE-2026-21622
Published: 05 March 2026
Summary
CVE-2026-21622 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Hex Hexpm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires automatic termination of sessions after organization-defined time periods or events, directly mitigating the indefinite validity of password reset tokens.
IA-5 mandates changing or refreshing authenticators within defined time periods, addressing the lack of expiration for password reset tokens used as temporary authenticators.
SI-10 requires validation of inputs such as password reset tokens to enforce criteria like expiration time limits in routines like can_reset?/3, preventing use of stale tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Non-expiring password reset tokens directly enable unauthorized use of valid account credentials for takeover via leaked tokens.
NVD Description
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link…
more
with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced. If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email. This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.
Deeper analysisAI
CVE-2026-21622 is an insufficient session expiration vulnerability in the hexpm/hexpm repository, specifically within the Elixir.Hexpm.Accounts.PasswordReset module and the lib/hexpm/accounts/password_reset.ex file, along with the can_reset?/3 routine. This flaw affects versions of hexpm from commit 617e44c71f1dd9043870205f371d375c5c4d886d up to but not including bb0e42091995945deef10556f58d046a52eb7884. Password reset tokens generated through the "Reset your password" flow lack time-based expiration and remain valid indefinitely until used, enabling potential account takeover as rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-613.
An attacker can exploit this vulnerability remotely without privileges by obtaining an unused password reset token from a victim's exposed historical emails, such as those leaked in a data breach or mailbox archive. Upon receiving a password reset request, Hex sends an email with a link containing the token; if this email is compromised in a prior breach, the attacker can activate the token to reset the victim's password without needing ongoing access to their email account, resulting in full account takeover.
Advisories and the associated patch recommend updating to the fixed commit bb0e42091995945deef10556f58d046a52eb7884 or later, which enforces proper token expiration. Details are available in the GitHub security advisory GHSA-6r94-pvwf-mxqm, the CNA page at cna.erlef.org, and the OSV entry at osv.dev.
Details
- CWE(s)