Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Published: 2026-02-26
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can send a single POST request to /v1/onboarding/config on a self‑hosted Hoppscotch instance without any authentication. The endpoint performs no guard checks when the onboarding process has already been completed, so the request completely overwrites the infrastructure configuration. This allows the attacker to replace OAuth provider credentials for Google, GitHub and Microsoft with credentials under the attacker’s control, causing all future single‑sign‑on logins to authenticate against the attacker’s OAuth application. The attacker also obtains OAuth tokens and email addresses of any user who logs in after the takeover. In addition, the response returns a recovery token that can be used to read all stored secrets such as SMTP passwords in plaintext.

Affected Systems

Hoppscotch self‑hosted instances of the open‑source API development ecosystem. All releases older than 2026.2.0 are vulnerable. The affected product is listed as hoppscotch from the hoppscotch vendor, and the fix is included in the 2026.2.0 release and later.

Risk and Exploitability

The vulnerability has a CVSS score of 9.1, indicating critical severity. The EPSS score is less than 1%, suggesting that exploitation probability, while low, is not negligible and an attack can be performed easily over the network without requiring any credentials. The issue is not listed in the CISA KEV catalog, but the combination of high impact and easy exploitation makes it highly likely to be targeted. The only requirement for exploitation is the ability to send an unauthenticated HTTP POST to the server, which is trivially achieved from any machine that can reach the instance.

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hoppscotch to version 2026.2.0 or later
  • If an upgrade cannot be performed immediately, block unauthenticated POST requests to /v1/onboarding/config using a firewall or reverse‑proxy rule
  • After the fix or block, revoke any compromised OAuth credentials, reset stored secrets and rotate any affected SMTP passwords

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Title hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover
Weaknesses CWE-284
CWE-287
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:42:36.125Z

Reserved: 2026-02-25T15:28:40.649Z

Link: CVE-2026-28215

cve-icon Vulnrichment

Updated: 2026-03-02T20:42:32.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:35.940

Modified: 2026-02-27T15:53:07.053

Link: CVE-2026-28215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses