CVE-2026-44478
Published: 13 May 2026
Summary
CVE-2026-44478 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.
Training covers access control policies and the consequences of improper access grants or usage by users.
Security training teaches access control policies and enforcement, reducing improper access control implementations.
Provides capability to review session content, directly detecting violations of access control.
System audit review detects violations of access controls by identifying unauthorized access attempts.
Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.
Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.
Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.
NVD Description
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext…
more
to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)