CVE-2026-28215

{"id": "CVE-2026-28215", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T23:16:35.940", "references": [{"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue."}, {"lang": "es", "value": "hoppscotch es un ecosistema de desarrollo de API de c\u00f3digo abierto. Antes de la versi\u00f3n 2026.2.0, un atacante no autenticado puede sobrescribir toda la configuraci\u00f3n de infraestructura de una instancia de Hoppscotch autoalojada, incluyendo las credenciales del proveedor OAuth y la configuraci\u00f3n SMTP, enviando una \u00fanica solicitud HTTP POST sin autenticaci\u00f3n. El endpoint POST /v1/onboarding/config no tiene protecci\u00f3n de autenticaci\u00f3n y no realiza ninguna comprobaci\u00f3n sobre si la incorporaci\u00f3n ya se complet\u00f3. Un exploit exitoso permite al atacante reemplazar las credenciales de la aplicaci\u00f3n OAuth de Google/GitHub/Microsoft de la instancia con las suyas propias, haciendo que todos los inicios de sesi\u00f3n de usuario posteriores a trav\u00e9s de SSO se autentiquen contra la aplicaci\u00f3n OAuth del atacante. El atacante captura tokens OAuth y direcciones de correo electr\u00f3nico de cada usuario que inicia sesi\u00f3n despu\u00e9s del exploit. Adem\u00e1s, el endpoint devuelve un token de recuperaci\u00f3n que puede usarse para leer todos los secretos almacenados en texto plano, incluyendo contrase\u00f1as SMTP y cualquier otra credencial configurada. La versi\u00f3n 2026.2.0 soluciona el problema."}], "lastModified": "2026-02-27T15:53:07.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FF8DA47-4B0B-4592-80AD-66C7913AD164", "versionEndExcluding": "2026.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}