Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28215

CVE-2026-28215: Hoppscotch Auth Bypass Vulnerability

CVE-2026-28215 is an authentication bypass flaw in Hoppscotch that allows attackers to overwrite infrastructure configurations and capture user credentials. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-28215 Overview

CVE-2026-28215 is a critical authentication bypass vulnerability affecting self-hosted Hoppscotch instances, an open source API development ecosystem. The vulnerability allows an unauthenticated attacker to completely overwrite the infrastructure configuration of a Hoppscotch instance, including OAuth provider credentials and SMTP settings, by sending a single HTTP POST request without any authentication.

The vulnerable endpoint POST /v1/onboarding/config lacks an authentication guard and performs no validation to check whether onboarding was already completed. This allows attackers to repeatedly exploit this endpoint on production instances that have already been configured.

Critical Impact

An unauthenticated attacker can hijack all user authentication by replacing OAuth credentials with attacker-controlled applications, capture OAuth tokens and email addresses of all users who subsequently log in, and obtain a recovery token that exposes all stored secrets including SMTP passwords in plaintext.

Affected Products

  • Hoppscotch self-hosted instances prior to version 2026.2.0
  • Any deployment using OAuth SSO (Google, GitHub, Microsoft) authentication
  • Instances with SMTP or other credential configurations

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-28215 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-28215

Vulnerability Analysis

This vulnerability is classified as CWE-284 (Improper Access Control) and represents a severe authorization bypass in the Hoppscotch onboarding workflow. The attack can be executed remotely over the network with no user interaction required and no prior authentication needed.

A successful exploit leads to complete compromise of confidentiality and integrity for the affected instance. Attackers can capture credentials of all users who authenticate after the attack, access all stored secrets, and potentially pivot to connected services using the captured SMTP and OAuth credentials.

Root Cause

The root cause of this vulnerability is the complete absence of authentication controls on the /v1/onboarding/config endpoint. The endpoint was designed for initial instance setup but fails to implement two critical security checks:

  1. Missing authentication guard - The endpoint accepts requests from any source without requiring authentication tokens or session validation
  2. Missing state validation - The endpoint does not verify whether the onboarding process was already completed, allowing configurations to be overwritten at any time

Attack Vector

The attack vector is network-based and requires only HTTP access to the vulnerable Hoppscotch instance. An attacker can exploit this vulnerability through the following steps:

  1. Discovery - Identify a self-hosted Hoppscotch instance accessible over the network
  2. Exploitation - Send a crafted POST request to /v1/onboarding/config containing attacker-controlled OAuth application credentials
  3. Credential Harvesting - Wait for users to authenticate via SSO, capturing their OAuth tokens and email addresses through the attacker's OAuth application
  4. Secret Extraction - Use the recovery token returned from the exploit to read all stored secrets in plaintext

The vulnerability requires no special privileges, no user interaction, and can be exploited with a single HTTP request. The endpoint returns a recovery token that provides direct access to sensitive configuration data including SMTP passwords.

Detection Methods for CVE-2026-28215

Indicators of Compromise

  • Unexpected HTTP POST requests to /v1/onboarding/config endpoint in access logs
  • Changes to OAuth provider configurations (Google, GitHub, Microsoft client IDs/secrets)
  • Modified SMTP settings or email configuration
  • Unfamiliar recovery token generation events in application logs
  • User reports of OAuth authentication redirecting to unexpected domains

Detection Strategies

  • Monitor web server access logs for POST requests to /v1/onboarding/config from external IP addresses
  • Implement alerting on configuration changes to OAuth provider settings
  • Review authentication logs for users authenticating against unexpected OAuth application IDs
  • Deploy web application firewall rules to detect and block unauthorized configuration endpoint access

Monitoring Recommendations

  • Configure real-time alerts for any access to the onboarding configuration endpoint on production instances
  • Establish baseline OAuth application credentials and monitor for unauthorized modifications
  • Implement integrity monitoring for configuration files and database entries containing OAuth credentials
  • Enable verbose logging for authentication-related events to track potential credential theft

How to Mitigate CVE-2026-28215

Immediate Actions Required

  • Upgrade all self-hosted Hoppscotch instances to version 2026.2.0 or later immediately
  • Review OAuth provider configurations to ensure they have not been tampered with
  • Rotate all OAuth application credentials (Google, GitHub, Microsoft) as a precaution
  • Change SMTP passwords and any other credentials stored in the instance configuration
  • Review authentication logs for signs of unauthorized OAuth application usage

Patch Information

The vulnerability is fixed in Hoppscotch version 2026.2.0. The patch implements proper authentication guards on the onboarding endpoint and adds validation to prevent configuration overwrites after initial setup is complete.

For detailed patch information, see the GitHub Release 2026.2.0 and the GitHub Security Advisory GHSA-jwv8-867r-q9fg.

Workarounds

  • Restrict network access to the Hoppscotch instance using firewall rules to trusted IP ranges only
  • Implement a reverse proxy with authentication requirements for administrative endpoints
  • Block access to /v1/onboarding/config at the web server or load balancer level using URL-based access controls
  • Monitor and alert on any POST requests to the vulnerable endpoint until patching is complete
bash
# Example nginx configuration to block vulnerable endpoint
location /v1/onboarding/config {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne