CVE-2026-44478 - Vulnerability Details

- hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

Description

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.

Published: 2026-05-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability underlies an Improper Access Control flaw (CWE-284) and an Authentication Bypass (CWE-287). An unauthenticated attacker can read the entire set of infrastructure secrets when the GET /v1/onboarding/config endpoint is invoked and the ONBOARDING_RECOVERY_TOKEN database entry is an empty string. The secrets are returned in plain text, allowing straightforward exfiltration of credentials, access keys, and other configuration that could compromise both the application and its underlying infrastructure.

Affected Systems

hoppscotch, the open‑source API development environment, is affected by this flaw in all versions prior to 2026.4.0. The issue is triggered when the onboarding recovery token stored in the database is an empty string, a scenario that can arise during initial setup or configuration resets.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk level, and the EPSS score is not reported, but the lack of authentication on the affected endpoint simplifies exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet, but the straightforward attack path and potential for credential leakage warrant immediate attention. Attackers need only send a simple HTTP GET to the endpoint; no additional privileges or complex setup is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hoppscotch

affected

Version	Status	Constraints
`>= 2025.7.0, < 2026.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Hoppscotch

100%

Version	Status	Scheme	Platform
`[2025.7.0,2026.4.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to hoppscotch version 2026.4.0 or later
Set a strong non‑empty ONBOARDING_RECOVERY_TOKEN in the database after the upgrade
Configure the application or network to restrict unauthenticated access to the /v1/onboarding/config endpoint

Generated by OpenCVE AI on May 13, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7c8p-hj4p-3q3f

History

Fri, 15 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hoppscotch Hoppscotch hoppscotch
Vendors & Products		Hoppscotch Hoppscotch hoppscotch

Wed, 13 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.
Title		hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token
Weaknesses		CWE-284 CWE-287
References		https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7c8p-hj4p-3q3f
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Hoppscotch Hoppscotch

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T21:47:01.158Z

Updated: 2026-05-15T18:39:13.940Z

Reserved: 2026-05-06T17:18:51.782Z

Link: CVE-2026-44478

Vulnrichment

Updated: 2026-05-15T18:37:34.446Z

NVD

Status : Deferred

Published: 2026-05-13T22:16:46.207

Modified: 2026-05-15T19:17:00.020

Link: CVE-2026-44478

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T00:00:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object