Vulnerability Lookup

🛡️ CVE-2026-32148

🟡 CVSS 5.9 — Medium ⚠️ Exploit Public CWE-354 NVD

5.9

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected. An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering. This issue affects hex: from 0.16.0 before 2.4.2.

Details

Severity MEDIUM

CVSS Score 5.9

CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE CWE-354

Public Exploit ⚠️ Yes

Source NVD

Published 2026-04-30

Updated 2026-06-02

Modified 2026-05-05

Fix URL https://github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8e

Affected Packages

Software	From version	Fixed in
hex	0.16.0	2.4.2

References

Third Party Advisory https://cna.erlef.org/cves/CVE-2026-32148.html

Patch https://github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8e

Exploit, Patch, Vendor Advisory https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v

Exploit, Third Party Advisory https://osv.dev/vulnerability/EEF-CVE-2026-32148

Exploit, Patch, Vendor Advisory https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Vulnerability Monitoring

Stay informed about vulnerabilities in your stack

BotEraser monitors your WordPress installation and notifies you when software you use appears in our vulnerability database.

Set Up Free Alerts →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Stay informed about vulnerabilities in your stack

Company

Resources

Services

Trusted

Subscribe