CVE-2026-28215

Name of the Vulnerable Software and Affected Versions Hoppscotch versions prior to 2026.2.0

Description Hoppscotch, an API development ecosystem, had a critical security issue where an unauthenticated attacker could overwrite the entire infrastructure configuration of a self-hosted instance. This included OAuth provider credentials and SMTP settings, achieved by sending an HTTP POST request to the /v1/onboarding/config endpoint, which lacked authentication and completion checks. A successful exploit allowed the attacker to replace OAuth application credentials, capturing OAuth tokens and email addresses of users logging in via SSO. The endpoint also returned a recovery token enabling access to all stored secrets in plaintext, including SMTP passwords and other configured credentials.

Recommendations Update to version 2026.2.0 or later.