CVE-2026-28215
Published: 26 February 2026
Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request…
more
with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly limits and authorizes actions performable without identification or authentication, directly preventing unauthenticated POST requests to overwrite critical infrastructure configuration like OAuth and SMTP credentials.
AC-3 requires the system to enforce approved access authorizations, mitigating the lack of authentication guard on the /v1/onboarding/config endpoint that allows configuration overwrite.
CM-5 mandates restrictions on changes to system components including configuration settings, preventing unauthorized modifications to onboarding config and stored secrets.
Security SummaryAI
CVE-2026-28215 is a critical vulnerability in Hoppscotch, an open source API development ecosystem, affecting self-hosted instances prior to version 2026.2.0. The issue stems from the POST /v1/onboarding/config endpoint lacking any authentication guard or check to prevent reuse after initial onboarding, allowing an unauthenticated attacker to overwrite the entire infrastructure configuration. This includes sensitive settings such as OAuth provider credentials for Google, GitHub, and Microsoft, as well as SMTP configurations. The vulnerability is rated 9.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284 (Improper Access Control) and CWE-287 (Improper Authentication).
Any unauthenticated attacker with network access to the Hoppscotch instance can exploit this by sending a single HTTP POST request to the vulnerable endpoint. Successful exploitation enables the attacker to replace the instance's OAuth application credentials with their own, redirecting all subsequent SSO logins to the attacker's OAuth app. This allows capture of OAuth tokens and email addresses from every user who logs in post-exploit. Additionally, the endpoint response includes a recovery token that grants plaintext access to all stored secrets, such as SMTP passwords and other configured credentials, enabling full compromise of the instance's configuration.
The Hoppscotch security advisory (GHSA-jwv8-867r-q9fg) and release notes for version 2026.2.0 detail the fix, which adds proper authentication and onboarding completion checks to the endpoint. Security practitioners should immediately upgrade self-hosted instances to version 2026.2.0 or later and review configurations for signs of tampering, such as unexpected OAuth credential changes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of public-facing web endpoint (T1190) enables config overwrite to steal OAuth application access tokens via redirected SSO (T1528), leak recovery token exposing config secrets (T1552), and overall credential access via exploit (T1212).