Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-28215

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-26 Feb, 2026 | 22:34
Updated At-26 Feb, 2026 | 22:34
Rejected At-
Credits

hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:26 Feb, 2026 | 22:34
Updated At:26 Feb, 2026 | 22:34
Rejected At:
▼CVE Numbering Authority (CNA)
hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.

Affected Products
Vendor
hoppscotch
Product
hoppscotch
Versions
Affected
  • < 2026.2.0
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284: Improper Access Control
CWECWE-287CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-284
Description: CWE-284: Improper Access Control
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg
x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
x_refsource_MISC
Hyperlink: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
Resource:
x_refsource_MISC
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:26 Feb, 2026 | 23:16
Updated At:27 Feb, 2026 | 15:53

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
hoppscotch
hoppscotch
>>hoppscotch>>Versions before 2026.2.0(exclusive)
cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-284Primarysecurity-advisories@github.com
CWE-287Primarysecurity-advisories@github.com
CWE ID: CWE-284
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-287
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0security-advisories@github.com
Product
Release Notes
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fgsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

154Records found
CVE-2020-22657
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.29% / 52.26%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to perform WEB GUI login authentication bypass.

Action-Not Available
Vendor-ruckuswirelessn/a
Product-zonedirector_3000zonedirector_1200_firmwaret300_firmwarescg200_firmwarer600sz-100_firmwarevszvsz_firmwarer310_firmwarer600_firmwarer500_firmwarezonedirector_1100r500zonedirector_5000t301szonedirector_1100_firmwaret301s_firmwarer310zonedirector_3000_firmwarezonedirector_5000_firmwaret300scg200sz-300_firmwaresz-100zonedirector_1200t301n_firmwaresz-300t301nn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-6796
Matching Score-4
Assigner-Baxter Healthcare
ShareView Details
Matching Score-4
Assigner-Baxter Healthcare
CVSS Score-8.2||HIGH
EPSS-0.55% / 67.60%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 19:28
Updated-20 Sep, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerability in Baxter Connex Health Portal

In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content.

Action-Not Available
Vendor-Hill-Rom Holdings, Inc.Baxter International, Inc.
Product-connex_health_portalConnex Health Portalconnex_health_portal
CWE ID-CWE-284
Improper Access Control
CVE-2020-15240
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.4||HIGH
EPSS-0.09% / 24.95%
||
7 Day CHG~0.00%
Published-21 Oct, 2020 | 17:25
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Regression in JWT Signature Validation

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

Action-Not Available
Vendor-auth0auth0
Product-omniauth-auth0omniauth-auth0
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2024-48905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.34% / 56.25%
||
7 Day CHG+0.22%
Published-01 May, 2025 | 00:00
Updated-04 Jun, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint.

Action-Not Available
Vendor-sematelln/a
Product-replyonen/a
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found