Cyber Resilience

CVE-2026-23939

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 23.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23939 is a medium-severity Path Traversal (CWE-22) vulnerability in Hex Hexpm. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23939 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as CWE-22 (Path Traversal), affecting the hexpm/hexpm project in its Elixir.Hexpm.Store.Local module. The flaw enables relative path traversal and is tied to specific program files like lib/hexpm/store/local.ex and routines such as Elixir.Hexpm.Store.Local:get/3, put/4, delete/2, and delete_many/2. It impacts self-hosted deployments of hexpm that use the Local Storage backend, from commit 931ee0ed46fa89218e0400a4f6e6d15f96406050 up to but not including 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0. The hex.pm service itself remains unaffected.

Attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, user interaction, or scope changes, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Any unauthenticated remote attacker able to interact with the affected Local Storage backend endpoints could traverse paths to access sensitive files, resulting in high confidentiality impact through unauthorized data disclosure.

Advisories from the CNA at erlef.org, the GitHub security advisory GHSA-42mv-r64p-4869, and the patch commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 recommend updating self-hosted hexpm deployments to the fixed commit or later versions to mitigate the issue. Additional details are available via OSV.dev at osv.dev/vulnerability/EEF-CVE-2026-23939.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT…

more

affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing Local Storage backend directly enables remote exploitation of the web app (T1190) for unauthorized file access and data collection from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21622Same product: Hex Hexpm
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22

Affected Assets

hex
hexpm
2014-09-29 — 2026-02-26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation and sanitization of pathname inputs to the Elixir.Hexpm.Store.Local module functions like get/3 and put/4.

prevent

Addresses the specific flaw through timely identification, reporting, and remediation by updating to the fixed commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 or later in self-hosted hexpm deployments.

prevent

Enforces logical access restrictions to limit operations to the intended restricted directory, countering the improper limitation of pathnames in the Local Storage backend.

References