Home / Vulnerability Intelligence / CVE-2026-28215

CVE-2026-28215 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: February 27, 2026

Hoppscotch - Authentication Bypass

Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

Hoppscotch prior to 2026.2.0 contains an authentication bypass caused by lack of authentication on POST /v1/onboarding/config, letting unauthenticated attackers overwrite infrastructure configuration and capture OAuth tokens, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 5.9%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can hijack OAuth credentials, capture user tokens and emails, and access all stored secrets, compromising user data and system integrity.

Mitigation

Update to version 2026.2.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🔴 CVE-2026-28215 - Critical (9.1) hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28215/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28215
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: confirmed
EPSS: 5.9%
Social Posts: 1

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

5.9%Probability of exploitation in the next 30 days