Vulnerability Summary
| Field | Details |
|---|---|
| CVE ID | CVE-2026-21622 |
| Vulnerability Name | Password Reset Tokens Never Expire |
| Affected Platform | Hex.pm |
| Vulnerability Type | Insufficient Session Expiration |
| CWE | CWE-613 |
| CVSS v3.1 Score | 9.1 |
| Severity | Critical |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | Required |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | Low |
| Exploitability | High |
| Exploit Availability | No widely published exploit kit, but easily reproducible |
| Authentication Required | No |
| Affected Component | Password reset workflow |
| Risk Type | Account Takeover |
Overview
CVE-2026-21622 describes a security issue in the Hex.pm package repository platform where password reset tokens generated during the account recovery process do not expire.
When a password reset is requested, a unique token is generated and sent to the user’s email address through a password reset link. The system stores this token so that it can be validated when the reset request is completed.
However, the application fails to enforce a time-based expiration policy for these tokens. As a result, any reset token generated by the system remains valid indefinitely until it is used.
Because of this behavior, an attacker who obtains a previously generated password reset email can reuse the embedded token at any time in the future to reset the victim’s password and gain access to the account.
The vulnerability becomes particularly dangerous when email archives are exposed through breaches, misconfigurations, or insider access. Historical password reset messages can contain valid tokens that remain usable even months or years after they were created.
Affected Systems
The vulnerability affects deployments of the Hex.pm package registry platform that use the vulnerable password reset implementation where reset tokens are generated without expiration enforcement.
Any environment where:
- Password reset tokens are stored without expiration timestamps
- Reset token validation does not verify token age
- Tokens remain valid until consumed
may be exposed to account takeover attacks.
Root Cause
The issue originates from missing expiration logic in the password recovery workflow.
The reset token lifecycle contains the following weakness:
- A token is generated when the user requests a password reset.
- The token is stored in the database.
- The token is embedded in a reset link sent to the user via email.
- The system validates the token when the reset link is accessed.
The vulnerability exists because no timestamp validation is performed when the token is processed. The backend only verifies that the token exists and has not already been used.
Since expiration is never checked, the token remains valid indefinitely.
Technical Details
In a properly implemented password recovery mechanism, reset tokens typically include:
- Creation timestamp
- Expiration period
- One-time use restriction
In the vulnerable implementation:
- Tokens are created and stored.
- No expiration timestamp is associated with the token.
- Token validity checks only verify token existence.
- Old tokens remain accepted by the application.
Because of this design flaw, the application treats a token generated minutes ago the same as one generated several months earlier.
If the token remains unused, it can still be used to complete a password reset operation.
Attack Scenario
Scenario 1 – Compromised Email Archive
An attacker obtains access to a leaked mailbox database.
The attacker searches for messages containing password reset emails from Hex.pm.
An old password reset email is located containing a reset link.
The token embedded in the link is extracted.
The attacker accesses the reset endpoint using the token and sets a new password.
Access to the victim account is obtained.
Scenario 2 – Shared Email System Exposure
Password reset messages are stored in shared organizational mailboxes.
Historical email archives are accessible to internal users.
An insider retrieves unused reset tokens from old emails.
Those tokens are used to reset passwords for targeted accounts.
Scenario 3 – Email Account Breach
A user’s email account is compromised.
The attacker searches archived messages for reset emails.
Even if the reset request was performed long ago, the token can still be used.
The attacker resets the password and gains full account access.
Exploitation Method
The exploitation process is straightforward once a reset token is obtained.
The attacker only needs access to the reset URL that contains the token.
Example reset URL format:
https://hex.pm/reset-password?token=<token_value>
If the token exists in the database and has not yet been used, the application accepts the request regardless of token age.
Proof of Concept (Educational)
The following example illustrates how the vulnerability could be abused in a controlled testing environment.
Step 1 – Identify password reset link
https://hex.pm/reset-password?token=abc123token
Step 2 – Submit password reset request
POST /reset-password HTTP/1.1
Host: hex.pm
Content-Type: application/x-www-form-urlencodedtoken=abc123token&password=NewPassword123&confirm_password=NewPassword123
If the token has not been used previously, the password change is processed successfully.
The account password is then replaced with the attacker-controlled value.
Impact
Successful exploitation can result in full account takeover.
Once access is obtained, an attacker may:
- Modify account credentials
- Upload malicious packages
- Publish backdoored software
- Modify existing packages
- Poison dependency chains
- Distribute malicious code to downstream users
For software package registries, the risk is significant because compromised accounts can be used to introduce malicious code into widely used libraries.
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1078 | Valid Accounts |
| Credential Access | T1552 | Unsecured Credentials |
| Persistence | T1098 | Account Manipulation |
| Defense Evasion | T1070 | Indicator Removal |
| Privilege Escalation | T1098.003 | Additional Account Manipulation |
Indicators of Compromise
Security monitoring teams should watch for the following indicators:
- Password reset operations triggered using very old tokens
- Password reset events without a corresponding recent reset request
- Password resets followed immediately by login activity
- Reset activity originating from unfamiliar geographic locations
- Multiple reset attempts using the same token
Unusual authentication patterns after password reset activity should be investigated.
Detection
Monitoring authentication workflows and reset endpoints can help identify suspicious activity.
Security teams should focus on password reset endpoints and analyze token usage patterns.
Key behaviors to monitor include:
- Reset tokens used long after generation
- Reset tokens reused across multiple attempts
- Reset actions originating from unusual IP addresses
Detection Queries
Splunk
index=web_logs "/reset-password"
| stats earliest(_time) as reset_request latest(_time) as reset_action by token
| eval token_age = reset_action - reset_request
| where token_age > 86400
Elastic KQL
url.path : "/reset-password*" and http.request.method : ("GET" or "POST")
Elastic EQL
sequence by user.id
[authentication where event.action == "password_reset_request"]
[authentication where event.action == "password_reset_success"]
Microsoft Sentinel (KQL)
SigninLogs
| where OperationName contains "PasswordReset"
| extend TimeDifference = datetime_diff("hour", TimeGenerated, CreatedDateTime)
| where TimeDifference > 24
LogPoint
norm_id=PasswordReset
| stats earliest(_time) as reset_request latest(_time) as reset_success by user token
| where reset_success - reset_request > 86400
Threat Hunting
Threat hunters should search historical logs for reset tokens used after long delays.
Indicators that may suggest abuse include:
- Token usage after several days or weeks
- Password resets from foreign IP addresses
- Reset requests followed by rapid privilege changes
Log Sources
The following telemetry sources can assist in detecting exploitation attempts:
- Web server access logs
- Application authentication logs
- API gateway logs
- Reverse proxy logs
- Identity and access management logs
- Email system logs
These sources provide visibility into token usage and password reset behavior.
Mitigation
The vulnerability can be mitigated by implementing proper password reset token management.
Recommended protections include:
- Enforcing strict expiration times for reset tokens
- Limiting token validity to a short duration such as 30–60 minutes
- Invalidating tokens after a password reset is completed
- Invalidating older tokens when a new reset request is generated
- Enforcing multi-factor authentication for account access
- Monitoring reset activity for anomalies
Organizations operating similar password reset implementations should ensure that tokens include timestamp validation.
Patch and Upgrade
The issue has been addressed by the Hex.pm maintainers through an update that introduces token expiration checks and ensures outdated tokens are rejected during validation.
Official patch / upgrade information:
https://github.com/hexpm/hexpm
