Medium severity5.9NVD Advisory· Published Apr 30, 2026· Updated May 5, 2026

CVE-2026-32148

Description

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.

Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.

An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.

This issue affects hex: from 0.16.0 before 2.4.2.

Affected products

Hexpm/Hexreferences
Hex/Hex
cpe:2.3:a:hex:hex:*:*:*:*:*:*:*:*
Range: >=0.16.0,<2.4.2

Patches

d7528c8199a1

Fix checksum verification for dependencies in mix.lock

https://github.com/hexpm/hexEric Meadows-JönssonApr 30, 2026via nvd-ref

commit

2 files changed · +54 −4

lib/hex/remote_converger.ex+4 −4 modified

@@ -569,10 +569,8 @@ defmodule Hex.RemoteConverger do
 
   defp verify_resolved(resolved, lock) do
     Enum.each(resolved, fn {repo, name, app, version} ->
-      atom_name = String.to_atom(name)
-
       case Hex.Utils.lock(lock[String.to_atom(app)]) do
-        %{name: ^atom_name, version: ^version, repo: ^repo} = lock ->
+        %{name: ^name, version: ^version, repo: ^repo} = lock ->
           verify_inner_checksum(repo, name, version, lock.inner_checksum)
           verify_outer_checksum(repo, name, version, lock.outer_checksum)
           verify_deps(repo, name, version, lock.deps)
@@ -599,14 +597,16 @@ defmodule Hex.RemoteConverger do
     end
   end
 
+  defp verify_deps(repo, name, version, deps)
   defp verify_deps(nil, _name, _version, _deps), do: :ok
+  defp verify_deps(_repo, _name, _version, nil), do: []
 
   defp verify_deps(repo, name, version, deps) do
     # TODO: Use requests?
     deps =
       Enum.map(deps, fn {app, req, opts} ->
         %{
-          repo: opts[:repo],
+          repo: if(opts[:repo] != "hexpm", do: opts[:repo]),
           name: opts[:hex],
           constraint: Hex.Solver.parse_constraint!(req),
           optional: !!opts[:optional],

test/hex/remote_converger_test.exs+50 −0 modified

@@ -198,4 +198,54 @@ defmodule Hex.RemoteConvergerTest do
       refute_received {:mix_shell, :yes?, _}
     end)
   end
+
+  defmodule ChecksumIntegrity.MixProject do
+    def project do
+      [
+        app: :checksum_integrity,
+        version: "0.1.0",
+        deps: [
+          {:ex_doc, "~> 0.1.0"}
+        ]
+      ]
+    end
+  end
+
+  test "raises on checksum mismatch in mix.lock" do
+    in_tmp(fn ->
+      Mix.Project.push(ChecksumIntegrity.MixProject)
+
+      # First, get dependencies normally to create a valid lock file
+      :ok = Mix.Tasks.Deps.Get.run([])
+
+      # Read the lock file
+      lock = Mix.Dep.Lock.read()
+      {:hex, name, version, inner_checksum, managers, deps, repo, outer_checksum} = lock[:ex_doc]
+
+      assert_checksum_mismatch(%{
+        ex_doc:
+          {:hex, name, version, invalid_checksum(inner_checksum), managers, deps, repo,
+           outer_checksum}
+      })
+
+      assert_checksum_mismatch(%{
+        ex_doc:
+          {:hex, name, version, inner_checksum, managers, deps, repo,
+           invalid_checksum(outer_checksum)}
+      })
+    end)
+  end
+
+  defp assert_checksum_mismatch(lock) do
+    File.write!("mix.lock", inspect(lock, limit: :infinity, pretty: true))
+    Mix.Task.clear()
+
+    # The bug causes this to silently pass and rewrite the lock file with correct checksums
+    assert_raise Mix.Error, ~r/Registry checksum mismatch against lock/, fn ->
+      Mix.Tasks.Deps.Get.run([])
+    end
+  end
+
+  defp invalid_checksum("0" <> rest), do: "1" <> rest
+  defp invalid_checksum(<<_::binary-size(1), rest::binary>>), do: "0" <> rest
 end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8envdPatch
github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92vnvdExploitPatchVendor Advisory
osv.dev/vulnerability/EEF-CVE-2026-32148nvdExploitThird Party Advisory
cna.erlef.org/cves/CVE-2026-32148.htmlnvdThird Party Advisory

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.9/ 10

CVSS v48.9

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: High
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

Probability of exploitation in the next 30 days.

0.02%

VYPR risk score

Composite of severity, exploitation, and reach.

0.31medium

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-354
Improper Validation of Integrity Check Value
CWE-494
Download of Code Without Integrity Check

CVE ID

CVE-2026-32148

Credits

PF
Paul Fleischer
finder
EM
Eric Meadows-Jönsson / Hex.pm
remediation reviewer
JM
Jonatan Männchen / EEF
remediation developer