CVE-2026-21622: Password Reset Tokens Do Not Expire

Published Mar 5, 2026
·
Updated

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced. If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email. This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.

Affected Software

2 affected components
hexpm/hexpm>617e44c71f1dd9043870205f371d375c5c4d886d<=bb0e42091995945deef10556f58d046a52eb7884
Hex hexpm>=2025-10-01<2026-03-05

Remediation

Patch Available

https://github.com/hexpm/hexpm/commit/bb0e42091995945deef10556f58d046a52eb7884

Patch Available

https://github.com/hexpm/hexpm/security/advisories/GHSA-6r94-pvwf-mxqm

Event History

Mar 5, 2026
CVE Published
via MITRE·09:18 PM
Data Sourced
via MITRE·09:18 PM
DescriptionWeakness
Data Sourced
via NVD·10:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-21622?

CVE-2026-21622 has a high severity rating due to the potential for account takeover.

2

How do I fix CVE-2026-21622?

To fix CVE-2026-21622, update to a version of hexpm/hexpm that includes the expiration of password reset tokens.

3

What does CVE-2026-21622 affect?

CVE-2026-21622 affects the hexpm/hexpm application, specifically the password reset functionality.

4

What is the impact of CVE-2026-21622?

The impact of CVE-2026-21622 is that it allows attackers to exploit non-expired password reset tokens for account takeover.

5

Who is at risk for CVE-2026-21622?

Users of hexpm/hexpm who rely on email-based password resets are at risk for CVE-2026-21622.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203