Home / Vulnerability Intelligence / CVE-2026-28215

CVE-2026-28215 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: February 26, 2026

Hoppscotch - Authentication Bypass

Published: February 26, 2026Updated: February 26, 2026Remote Exploitable

Overview

Hoppscotch prior to 2026.2.0 contains an authentication bypass caused by lack of authentication on POST /v1/onboarding/config, letting unauthenticated attackers overwrite infrastructure configuration and capture OAuth tokens, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Unauthenticated attackers can hijack OAuth credentials, capture user tokens and emails, and access all stored secrets, compromising user data and system integrity.

Mitigation

Update to version 2026.2.0 or later.

References

https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28215
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: new

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N