CVE-2026-28215
Unauthenticated Config Overwrite in Hoppscotch Enables Credential Theft
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the open source API development ecosystem Hoppscotch prior to version 2026.2.0. An unauthenticated attacker can send a single HTTP POST request to the endpoint /v1/onboarding/config, which lacks authentication and does not verify if onboarding is already completed. This allows the attacker to overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance, including OAuth provider credentials and SMTP settings.
By exploiting this, the attacker can replace the instance's Google, GitHub, or Microsoft OAuth application credentials with their own, causing all future user logins via single sign-on (SSO) to authenticate against the attacker's OAuth app. This enables the attacker to capture OAuth tokens and email addresses of every user who logs in after the exploit.
Additionally, the vulnerable endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials.
The issue is fixed in version 2026.2.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access and control over the Hoppscotch instance's infrastructure configuration.
- Attackers can hijack OAuth credentials, causing all user logins via SSO to authenticate through the attacker's OAuth application.
- The attacker can capture OAuth tokens and email addresses of all users logging in after the exploit, leading to potential user data compromise.
- The attacker can obtain a recovery token that allows reading all stored secrets in plaintext, including SMTP passwords and other sensitive credentials.
Overall, this can lead to significant data breaches, loss of user trust, and unauthorized access to sensitive systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
Upgrade your self-hosted Hoppscotch instance to version 2026.2.0 or later, as this version fixes the vulnerability.
Until the upgrade is applied, restrict access to the POST /v1/onboarding/config endpoint to trusted users only, as it currently allows unauthenticated attackers to overwrite infrastructure configuration.
Review and rotate any OAuth provider credentials and SMTP settings that may have been compromised.