Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30825 is an authorization bypass vulnerability in the hoppscotch-backend. It affects the DELETE /v1/access-tokens/revoke endpoint, which allows any authenticated user to delete any other user's Personal Access Token (PAT) by providing its ID without verifying ownership."}, {'type': 'paragraph', 'content': "This happens because the deletePAT method lacks a check to confirm that the authenticated user owns the token they are trying to revoke. As a result, one user can revoke another user's token."}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2026.2.1 by enforcing ownership verification so that only the rightful owner can delete their PAT.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated user to revoke other users' Personal Access Tokens without permission, which could disrupt other users' access to the API development ecosystem."}, {'type': 'paragraph', 'content': 'However, the CVSS score is 0.0, indicating no impact on confidentiality, integrity, or availability, so the practical impact is limited to unauthorized token revocation rather than data compromise or service disruption.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API calls to the DELETE /v1/access-tokens/revoke endpoint and checking if any authenticated user is attempting to delete Personal Access Tokens (PATs) that they do not own.'}, {'type': 'paragraph', 'content': 'A practical approach is to log and audit requests to this endpoint, verifying whether the token ID being revoked belongs to the authenticated user making the request.'}, {'type': 'paragraph', 'content': "For example, you can use network traffic inspection tools or API gateway logs to identify suspicious DELETE requests with token IDs that do not match the requester's identity."}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but a sample curl command to test the vulnerability might be:'}, {'type': 'list_item', 'content': "curl -X DELETE 'https://your-hoppscotch-instance/v1/access-tokens/revoke?id=some-other-user-token-id' -H 'Authorization: Bearer <your_token>'"}, {'type': 'paragraph', 'content': 'If this request succeeds in deleting a token that does not belong to the authenticated user, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade hoppscotch to version 2026.2.1 or later, where the issue has been patched.

This update enforces ownership verification on the DELETE /v1/access-tokens/revoke endpoint, ensuring only the rightful owner can delete their Personal Access Tokens.

Until the upgrade is applied, restrict access to the vulnerable endpoint or monitor and audit usage closely to detect unauthorized token deletions.

Useful 0 Not Useful 0