Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44478

CVE-2026-44478: Hoppscotch Information Disclosure Flaw

CVE-2026-44478 is an information disclosure vulnerability in Hoppscotch that exposes infrastructure secrets to unauthenticated users. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-44478 Overview

CVE-2026-44478 affects Hoppscotch, an open source API development ecosystem. The vulnerability allows unauthenticated attackers to retrieve infrastructure secrets in plaintext through the GET /v1/onboarding/config endpoint. The flaw represents an incomplete fix for CVE-2026-28215, which addressed the corresponding POST endpoint but left the GET path exposed. When the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string, the endpoint returns all configured secrets without requiring authentication. The issue is classified under [CWE-284] Improper Access Control. Hoppscotch resolved the vulnerability in version 2026.4.0.

Critical Impact

Unauthenticated remote attackers can extract infrastructure secrets in plaintext from affected Hoppscotch deployments via a single HTTP GET request.

Affected Products

  • Hoppscotch versions from 2026.2.0 up to (but not including) 2026.4.0
  • Self-hosted Hoppscotch instances exposing the onboarding API
  • Deployments where ONBOARDING_RECOVERY_TOKEN is stored as an empty string

Discovery Timeline

  • 2026-05-13 - CVE-2026-44478 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-44478

Vulnerability Analysis

The vulnerability resides in Hoppscotch's onboarding configuration API. The original fix for CVE-2026-28215 introduced server-side checks on the POST /v1/onboarding/config endpoint, validating onboardingCompleted and canReRunOnboarding flags before permitting configuration overwrites. These checks were not applied to the corresponding GET /v1/onboarding/config endpoint. As a result, the read path continues to return the full onboarding configuration, including infrastructure secrets, to any unauthenticated caller.

The condition becomes exploitable when the recovery token persisted in the database is an empty string. Under that state, the GET handler treats the request as a legitimate recovery flow and serves the configuration without authentication. Attackers can harvest credentials, API keys, and other sensitive provisioning values directly from the response body.

Root Cause

The root cause is improper access control [CWE-284] on the configuration read endpoint. The remediation for CVE-2026-28215 was scoped only to the write path. The GET handler relied on the presence of a non-empty ONBOARDING_RECOVERY_TOKEN as an implicit authorization gate, but did not reject requests when that token value was empty.

Attack Vector

Exploitation requires only network access to the Hoppscotch instance. An attacker sends an unauthenticated HTTP GET request to /v1/onboarding/config. If the deployment stores an empty recovery token, the server returns the full plaintext configuration. No user interaction, privileges, or prior reconnaissance beyond endpoint enumeration are required. The vulnerability impacts confidentiality only; integrity and availability are not directly affected.

No verified public proof-of-concept code is referenced in the advisory. Refer to the Hoppscotch GitHub Security Advisory GHSA-7c8p-hj4p-3q3f for vendor-confirmed technical details.

Detection Methods for CVE-2026-44478

Indicators of Compromise

  • Unauthenticated HTTP GET requests to /v1/onboarding/config in reverse proxy or application logs
  • HTTP 200 responses from /v1/onboarding/config containing configuration key names or secret values
  • Requests to the onboarding API originating from unexpected external IP addresses or scanning ranges

Detection Strategies

  • Inspect Hoppscotch application logs and upstream proxy logs for any access to /v1/onboarding/config from non-administrative sources
  • Query the database to confirm whether ONBOARDING_RECOVERY_TOKEN is set to an empty string, which marks the instance as exploitable
  • Compare deployed Hoppscotch versions against the fixed release 2026.4.0 across all environments

Monitoring Recommendations

  • Alert on any successful response to /v1/onboarding/config from unauthenticated sessions
  • Monitor for credential reuse patterns that may indicate leaked secrets are being exercised against connected services
  • Track outbound use of API keys and tokens defined in the onboarding configuration to detect post-disclosure abuse

How to Mitigate CVE-2026-44478

Immediate Actions Required

  • Upgrade all Hoppscotch deployments to version 2026.4.0 or later
  • Rotate every credential, API key, and secret that was present in the onboarding configuration of affected instances
  • Restrict network exposure of the Hoppscotch admin and onboarding endpoints to trusted networks until patching is complete
  • Audit access logs for prior requests to /v1/onboarding/config to determine whether disclosure already occurred

Patch Information

Hoppscotch released the fix in version 2026.4.0. The patch enforces access control on the GET /v1/onboarding/config endpoint and addresses the empty ONBOARDING_RECOVERY_TOKEN bypass condition. Patch details are documented in the Hoppscotch GitHub Security Advisory GHSA-7c8p-hj4p-3q3f.

Workarounds

  • Block external access to /v1/onboarding/config at the reverse proxy or web application firewall layer
  • Ensure ONBOARDING_RECOVERY_TOKEN is set to a strong, non-empty value in the database
  • Place Hoppscotch instances behind authenticated network controls such as a VPN or zero trust proxy until the upgrade is applied

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne