Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.
AnalysisAI
Information disclosure in Hoppscotch (versions 2025.7.0 through pre-2026.4.0) allows unauthenticated remote attackers to retrieve all infrastructure secrets in plaintext by issuing a GET request to /v1/onboarding/config when the ONBOARDING_RECOVERY_TOKEN database value is an empty string. The flaw is an incomplete fix for CVE-2026-28215, which patched the POST counterpart but left the read endpoint exposed; publicly available exploit code exists per SSVC, although no public exploit identified at time of analysis in references, and EPSS is low at 0.04%.
Technical ContextAI
Hoppscotch is an open-source API development ecosystem (a self-hostable Postman alternative) consisting of a frontend, backend (NestJS), and admin dashboard. The onboarding subsystem exposes /v1/onboarding/config to bootstrap initial infrastructure configuration including SMTP credentials, OAuth client secrets, and database-derived values. CWE-284 (Improper Access Control) applies because the GET handler lacks the onboardingCompleted/canReRunOnboarding gating that was added to the POST handler in the CVE-2026-28215 remediation, and the access check additionally fails open when the ONBOARDING_RECOVERY_TOKEN persisted in the database is stored as an empty string - a common state in fresh or partially configured deployments.
RemediationAI
Vendor-released patch: upgrade to Hoppscotch 2026.4.0 or later, which adds proper authorization on the GET /v1/onboarding/config endpoint per advisory GHSA-7c8p-hj4p-3q3f (https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7c8p-hj4p-3q3f). If immediate upgrade is not possible, ensure the ONBOARDING_RECOVERY_TOKEN row in the database is set to a strong non-empty value rather than an empty string, which neutralizes the specific bypass condition; verify by inspecting the onboarding/config table directly. As an additional compensating control, block external access to the /v1/onboarding/* path at a reverse proxy or WAF and restrict it to administrator source IPs only - the trade-off is that legitimate re-onboarding flows will need to originate from the allowlisted network. Rotate any secrets (SMTP, OAuth, JWT, database credentials) that may have been exposed while the instance was reachable, since patching does not retroactively protect already-leaked material.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30201