CVE-2026-30825
Authorization Bypass in Hoppscotch Access Token Revocation Endpoint
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30825 is an authorization bypass vulnerability in the hoppscotch-backend. It affects the DELETE /v1/access-tokens/revoke endpoint, which allows any authenticated user to delete any other user's Personal Access Token (PAT) by providing its ID without verifying ownership."}, {'type': 'paragraph', 'content': "This happens because the deletePAT method lacks a check to confirm that the authenticated user owns the token they are trying to revoke. As a result, one user can revoke another user's token."}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2026.2.1 by enforcing ownership verification so that only the rightful owner can delete their PAT.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated user to revoke other users' Personal Access Tokens without permission, which could disrupt other users' access to the API development ecosystem."}, {'type': 'paragraph', 'content': 'However, the CVSS score is 0.0, indicating no impact on confidentiality, integrity, or availability, so the practical impact is limited to unauthorized token revocation rather than data compromise or service disruption.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API calls to the DELETE /v1/access-tokens/revoke endpoint and checking if any authenticated user is attempting to delete Personal Access Tokens (PATs) that they do not own.'}, {'type': 'paragraph', 'content': 'A practical approach is to log and audit requests to this endpoint, verifying whether the token ID being revoked belongs to the authenticated user making the request.'}, {'type': 'paragraph', 'content': "For example, you can use network traffic inspection tools or API gateway logs to identify suspicious DELETE requests with token IDs that do not match the requester's identity."}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but a sample curl command to test the vulnerability might be:'}, {'type': 'list_item', 'content': "curl -X DELETE 'https://your-hoppscotch-instance/v1/access-tokens/revoke?id=some-other-user-token-id' -H 'Authorization: Bearer <your_token>'"}, {'type': 'paragraph', 'content': 'If this request succeeds in deleting a token that does not belong to the authenticated user, the system is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade hoppscotch to version 2026.2.1 or later, where the issue has been patched.
This update enforces ownership verification on the DELETE /v1/access-tokens/revoke endpoint, ensuring only the rightful owner can delete their Personal Access Tokens.
Until the upgrade is applied, restrict access to the vulnerable endpoint or monitor and audit usage closely to detect unauthorized token deletions.