CVE-2026-28215 (GCVE-0-2026-28215)

Vulnerability from cvelistv5 – Published: 2026-02-26 22:34 – Updated: 2026-02-26 22:34
VLAI?
Title
hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover
Summary
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
hoppscotch hoppscotch Affected: < 2026.2.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "hoppscotch",
          "vendor": "hoppscotch",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings  by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance\u0027s Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker\u0027s OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T22:34:46.524Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg"
        },
        {
          "name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-jwv8-867r-q9fg",
        "discovery": "UNKNOWN"
      },
      "title": "hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28215",
    "datePublished": "2026-02-26T22:34:46.524Z",
    "dateReserved": "2026-02-25T15:28:40.649Z",
    "dateUpdated": "2026-02-26T22:34:46.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28215\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T23:16:35.940\",\"lastModified\":\"2026-02-27T15:53:07.053\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings  by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance\u0027s Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker\u0027s OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"hoppscotch es un ecosistema de desarrollo de API de c\u00f3digo abierto. Antes de la versi\u00f3n 2026.2.0, un atacante no autenticado puede sobrescribir toda la configuraci\u00f3n de infraestructura de una instancia de Hoppscotch autoalojada, incluyendo las credenciales del proveedor OAuth y la configuraci\u00f3n SMTP, enviando una \u00fanica solicitud HTTP POST sin autenticaci\u00f3n. El endpoint POST /v1/onboarding/config no tiene protecci\u00f3n de autenticaci\u00f3n y no realiza ninguna comprobaci\u00f3n sobre si la incorporaci\u00f3n ya se complet\u00f3. Un exploit exitoso permite al atacante reemplazar las credenciales de la aplicaci\u00f3n OAuth de Google/GitHub/Microsoft de la instancia con las suyas propias, haciendo que todos los inicios de sesi\u00f3n de usuario posteriores a trav\u00e9s de SSO se autentiquen contra la aplicaci\u00f3n OAuth del atacante. El atacante captura tokens OAuth y direcciones de correo electr\u00f3nico de cada usuario que inicia sesi\u00f3n despu\u00e9s del exploit. Adem\u00e1s, el endpoint devuelve un token de recuperaci\u00f3n que puede usarse para leer todos los secretos almacenados en texto plano, incluyendo contrase\u00f1as SMTP y cualquier otra credencial configurada. La versi\u00f3n 2026.2.0 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2026.2.0\",\"matchCriteriaId\":\"3FF8DA47-4B0B-4592-80AD-66C7913AD164\"}]}]}],\"references\":[{\"url\":\"https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.