Skip to main content

Hoppscotch EUVDEUVD-2026-30201

| CVE-2026-44478 HIGH
Improper Access Control (CWE-284)
2026-05-13 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:11 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.

AnalysisAI

Information disclosure in Hoppscotch (versions 2025.7.0 through pre-2026.4.0) allows unauthenticated remote attackers to retrieve all infrastructure secrets in plaintext by issuing a GET request to /v1/onboarding/config when the ONBOARDING_RECOVERY_TOKEN database value is an empty string. The flaw is an incomplete fix for CVE-2026-28215, which patched the POST counterpart but left the read endpoint exposed; publicly available exploit code exists per SSVC, although no public exploit identified at time of analysis in references, and EPSS is low at 0.04%.

Technical ContextAI

Hoppscotch is an open-source API development ecosystem (a self-hostable Postman alternative) consisting of a frontend, backend (NestJS), and admin dashboard. The onboarding subsystem exposes /v1/onboarding/config to bootstrap initial infrastructure configuration including SMTP credentials, OAuth client secrets, and database-derived values. CWE-284 (Improper Access Control) applies because the GET handler lacks the onboardingCompleted/canReRunOnboarding gating that was added to the POST handler in the CVE-2026-28215 remediation, and the access check additionally fails open when the ONBOARDING_RECOVERY_TOKEN persisted in the database is stored as an empty string - a common state in fresh or partially configured deployments.

RemediationAI

Vendor-released patch: upgrade to Hoppscotch 2026.4.0 or later, which adds proper authorization on the GET /v1/onboarding/config endpoint per advisory GHSA-7c8p-hj4p-3q3f (https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7c8p-hj4p-3q3f). If immediate upgrade is not possible, ensure the ONBOARDING_RECOVERY_TOKEN row in the database is set to a strong non-empty value rather than an empty string, which neutralizes the specific bypass condition; verify by inspecting the onboarding/config table directly. As an additional compensating control, block external access to the /v1/onboarding/* path at a reverse proxy or WAF and restrict it to administrator source IPs only - the trade-off is that legitimate re-onboarding flows will need to originate from the allowlisted network. Rotate any secrets (SMTP, OAuth, JWT, database credentials) that may have been exposed while the instance was reachable, since patching does not retroactively protect already-leaked material.

Share

EUVD-2026-30201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy