CVE-2026-30825: Hoppscotch Auth Bypass Vulnerability

CVE-2026-30825 Overview

CVE-2026-30825 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Hoppscotch, an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's Personal Access Token (PAT) by providing its ID, with no ownership verification. This authorization bypass vulnerability enables malicious actors to disrupt legitimate user sessions and API integrations.

Critical Impact

Any authenticated user can revoke other users' Personal Access Tokens, leading to denial of service for API integrations and potential disruption of automated workflows relying on PAT authentication.

Affected Products

• Hoppscotch versions prior to 2026.2.1
• Hoppscotch self-hosted deployments using vulnerable API endpoints
• Hoppscotch cloud instances running affected versions

Discovery Timeline

• 2026-03-07 - CVE-2026-30825 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30825

Vulnerability Analysis

This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), a common authorization flaw where the application fails to verify that the requesting user has permission to access or modify the requested resource.

The vulnerable endpoint DELETE /v1/access-tokens/revoke accepts a PAT ID parameter but performs no validation to confirm that the authenticated user making the request is the owner of the token being revoked. This allows any authenticated user to enumerate and revoke tokens belonging to other users, effectively performing a horizontal privilege escalation attack.

The network-based attack vector with low complexity requirements means that exploitation is straightforward once an attacker has any valid authentication credentials to the platform.

Root Cause

The root cause of CVE-2026-30825 is missing authorization checks in the token revocation endpoint. The application authenticates the user making the request but fails to implement proper ownership validation before executing the delete operation on the Personal Access Token. This represents a classic broken access control vulnerability where authentication is enforced but authorization is not.

The endpoint likely processes requests by directly using the provided token ID to locate and delete the database record, without first verifying that the token's owner_id or equivalent field matches the authenticated user's identity.

Attack Vector

An attacker with valid authentication credentials to a Hoppscotch instance can exploit this vulnerability by sending HTTP DELETE requests to the /v1/access-tokens/revoke endpoint with arbitrary PAT IDs. The attack requires network access to the target Hoppscotch instance and low-privileged user credentials.

The attack flow involves: (1) authenticating to the Hoppscotch platform with any valid user account, (2) discovering or enumerating valid PAT IDs through various means such as sequential ID guessing or other information disclosure, and (3) sending DELETE requests to revoke tokens belonging to other users.

Since no ownership verification is performed, the server processes these requests successfully, revoking the targeted tokens and disrupting any integrations or automated workflows that depend on them. See the GitHub Security Advisory for additional technical details.

Detection Methods for CVE-2026-30825

Indicators of Compromise

• Unusual volume of DELETE requests to /v1/access-tokens/revoke endpoint from a single user
• Token revocation events where the requesting user ID does not match the token owner ID in audit logs
• User reports of unexpected PAT invalidation or API integration failures
• Pattern of sequential or enumerated token ID requests in access logs

Detection Strategies

• Implement API audit logging that captures both the requesting user and the token owner for all revocation events
• Monitor for anomalous deletion patterns targeting tokens owned by multiple different users
• Alert on high-frequency requests to the token revocation endpoint from individual sessions
• Review application logs for failed authorization attempts if partial fixes were applied

Monitoring Recommendations

• Enable detailed access logging on the /v1/access-tokens/revoke endpoint
• Configure SIEM rules to correlate token revocation events with user ownership data
• Implement rate limiting on sensitive token management endpoints
• Establish baseline metrics for normal PAT revocation activity to identify anomalies

How to Mitigate CVE-2026-30825

Immediate Actions Required

• Upgrade Hoppscotch to version 2026.2.1 or later immediately
• Review audit logs for suspicious token revocation activity prior to patching
• Regenerate Personal Access Tokens for all users if exploitation is suspected
• Notify users of potential token compromise and recommend credential rotation

Patch Information

Hoppscotch has addressed this vulnerability in version 2026.2.1. The patch implements proper ownership verification on the token revocation endpoint, ensuring that users can only revoke tokens they own. Organizations should update to this version or later as soon as possible.

For more details, refer to the GitHub Release Notes and the GitHub Security Advisory.

Workarounds

• Restrict network access to Hoppscotch API endpoints using firewall rules or VPN requirements
• Implement a Web Application Firewall (WAF) rule to monitor and limit requests to the /v1/access-tokens/revoke endpoint
• Temporarily disable the PAT functionality if feasible until patching can be completed
• Implement additional authentication requirements for sensitive operations at the network layer

# Example: Restrict access to sensitive endpoints using nginx
location /v1/access-tokens/revoke {
    # Limit to internal networks only until patched
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    # Add rate limiting
    limit_req zone=api_limit burst=5 nodelay;
    
    proxy_pass http://hoppscotch_backend;
}