Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
Published: 2026-03-07
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized revocation of personal access tokens
Action: Patch immediately
AI Analysis

Impact

The flaw resides in the DELETE /v1/access-tokens/revoke endpoint of hoppscotch. When a user supplies the identifier of a personal access token (PAT), the system deletes that token without confirming that the token belongs to the calling user. This allows any authenticated user to invalidate another user’s PAT, which can lock the target user out of services that depend on those tokens, thereby compromising that user’s availability and potentially exposing confidential information that was accessed with the revoked token.

Affected Systems

All installations of hoppscotch running any version prior to 2026.2.1 are affected. The vulnerability exists because the endpoint lacks an ownership verification step for the token being revoked.

Risk and Exploitability

Although a CVSS base score is not supplied, the absence of access control elevates the risk. The EPSS score of <1% indicates a very low probability of exploitation; however, any authenticated user who wishes to sabotage another user can do so. The vulnerability is not currently listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hoppscotch to version 2026.2.1 or newer, which adds ownership verification to the revocation endpoint.
  • Audit existing personal access tokens across all users, and regenerate or reissue tokens that were revoked without authorization or that should no longer be active.
  • Enable logging and alerting for token revocation events, and use these logs to detect suspicious cross-user revocations and to notify affected users.

Generated by OpenCVE AI on April 18, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Sat, 07 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
Title hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:42:45.007Z

Reserved: 2026-03-05T21:06:44.605Z

Link: CVE-2026-30825

cve-icon Vulnrichment

Updated: 2026-03-09T20:42:36.208Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.343

Modified: 2026-03-11T19:01:34.790

Link: CVE-2026-30825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses