CVE-2026-28215
CVE-2026-28215
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- None
Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Comprehensive Technical Analysis of CVE-2026-28215
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2026-28215 CVSS Score: 9.1
The vulnerability in Hoppscotch, an open-source API development ecosystem, allows an unauthenticated attacker to overwrite the entire infrastructure configuration of a self-hosted instance. This includes OAuth provider credentials and SMTP settings by sending a single HTTP POST request to the endpoint /v1/onboarding/config without any authentication. The severity of this vulnerability is critical due to the potential for complete compromise of the instance's security configurations and user data.
Severity Evaluation:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Medium
The CVSS score of 9.1 indicates a critical vulnerability that requires immediate attention and remediation.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Unauthenticated Access: The primary attack vector is the lack of authentication on the
/v1/onboarding/configendpoint. An attacker can send a crafted HTTP POST request to this endpoint to overwrite the configuration. - Man-in-the-Middle (MitM) Attacks: Once the configuration is overwritten, the attacker can intercept OAuth tokens and email addresses during subsequent user logins.
- Credential Theft: The attacker can use the recovery token returned by the endpoint to read all stored secrets in plaintext, including SMTP passwords and other configured credentials.
Exploitation Methods:
- Configuration Overwrite: The attacker sends a POST request to
/v1/onboarding/configwith malicious configuration data. - OAuth Token Interception: The attacker replaces the OAuth application credentials with their own, causing all subsequent SSO logins to authenticate against the attacker's OAuth app.
- Secret Extraction: The attacker uses the recovery token to read all stored secrets, further compromising the instance's security.
3. Affected Systems and Software Versions
Affected Systems:
- Self-hosted instances of Hoppscotch prior to version 2026.2.0.
Software Versions:
- All versions of Hoppscotch before 2026.2.0 are vulnerable.
4. Recommended Mitigation Strategies
- Immediate Upgrade: Upgrade to Hoppscotch version 2026.2.0 or later, which includes the fix for this vulnerability.
- Network Segmentation: Implement network segmentation to isolate critical systems and reduce the attack surface.
- Access Controls: Ensure that all endpoints, especially those related to configuration, are protected by robust authentication and authorization mechanisms.
- Monitoring and Logging: Implement comprehensive monitoring and logging to detect and respond to any suspicious activities.
- Regular Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate potential security risks.
5. Impact on Cybersecurity Landscape
This vulnerability highlights the importance of securing configuration endpoints and ensuring proper authentication mechanisms are in place. The potential for complete compromise of user data and credentials underscores the need for vigilant security practices, especially in open-source projects. The incident serves as a reminder for organizations to regularly update and patch their systems to mitigate such risks.
6. Technical Details for Security Professionals
Vulnerability Details:
- Endpoint:
POST /v1/onboarding/config - Authentication: None
- Impact: Overwrite of infrastructure configuration, including OAuth provider credentials and SMTP settings.
Exploitation Steps:
- Crafting the Request: An attacker crafts an HTTP POST request to
/v1/onboarding/configwith malicious configuration data. - Sending the Request: The request is sent to the vulnerable Hoppscotch instance.
- Configuration Overwrite: The instance's configuration is overwritten with the attacker's data.
- OAuth Token Interception: Subsequent user logins via SSO authenticate against the attacker's OAuth app, allowing the attacker to capture OAuth tokens and email addresses.
- Secret Extraction: The attacker uses the recovery token to read all stored secrets in plaintext.
Mitigation Steps:
- Upgrade: Ensure all instances are upgraded to version 2026.2.0 or later.
- Authentication: Implement authentication and authorization checks on all configuration endpoints.
- Monitoring: Set up alerts for any unauthorized access attempts to configuration endpoints.
- Audit: Regularly audit the configuration and access logs to detect any anomalies.
References:
By addressing this vulnerability promptly and implementing robust security measures, organizations can significantly reduce the risk of such attacks and protect their critical infrastructure and user data.