CVE-2026-30825

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h

Configurations

No configuration.

History

09 Mar 2026, 21:16

Type	Values Removed	Values Added
Summary		(es) hoppscotch es un ecosistema de desarrollo de API de código abierto. Antes de la versión 2026.2.1, el endpoint DELETE /v1/access-tokens/revoke permite a cualquier usuario autenticado eliminar el PAT de cualquier otro usuario proporcionando su ID, sin verificación de propiedad. Este problema ha sido parcheado en la versión 2026.2.1.

07 Mar 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 06:16

Updated : 2026-03-09 21:16

NVD link : CVE-2026-30825

Mitre link : CVE-2026-30825

CVE.ORG link : CVE-2026-30825

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-30825", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-07T06:16:10.343", "references": [{"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h", "source": "security-advisories@github.com"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1."}, {"lang": "es", "value": "hoppscotch es un ecosistema de desarrollo de API de c\u00f3digo abierto. Antes de la versi\u00f3n 2026.2.1, el endpoint DELETE /v1/access-tokens/revoke permite a cualquier usuario autenticado eliminar el PAT de cualquier otro usuario proporcionando su ID, sin verificaci\u00f3n de propiedad. Este problema ha sido parcheado en la versi\u00f3n 2026.2.1."}], "lastModified": "2026-03-09T21:16:19.620", "sourceIdentifier": "security-advisories@github.com"}