Which versions of Hex (hexpm) are affected by CVE-2026-32148?

CVE-2026-32148 affects the Hex package manager (versions 0.16.0-2.4.1) and enables attackers to silently inject malicious dependencies into Elixir/Erlang projects by bypassing lockfile checksum…. A patch is available.

Hex (hexpm) CVE-2026-32148

Q: What is the CVSS score of CVE-2026-32148?

CVE-2026-32148 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26404 HIGH

Improper Validation of Integrity Check Value (CWE-354)

2026-04-30 EEF

Authentication Bypass

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Apr 30, 2026 - 21:45 vuln.today

Analysis Generated

Apr 30, 2026 - 21:45 vuln.today

CVSS changed

Apr 30, 2026 - 19:22 NVD

8.9 (HIGH)

EUVD ID Assigned

Apr 30, 2026 - 19:00 euvd

EUVD-2026-26404

Analysis Generated

Apr 30, 2026 - 19:00 vuln.today

Patch released

Apr 30, 2026 - 19:00 nvd

Patch available

CVE Published

Apr 30, 2026 - 18:17 nvd

HIGH 8.9

DescriptionNVD

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.

Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.

An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.

This issue affects hex: from 0.16.0 before 2.4.2.

AnalysisAI

Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. …

RemediationAI

Within 24 hours: Audit all Hex package manager installations across development infrastructure and identify systems running versions 0.16.0 through 2.4.1. Within 7 days: Upgrade Hex to version 2.4.2 or later (commit d7528c8) on all affected systems and regenerate lock files using the patched version. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32148 vulnerability details – vuln.today

Back

Hex (hexpm) CVE-2026-32148

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Hex (hexpm) CVE-2026-32148

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code