CVE-2026-30825 | THREATINT

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-07 | Updated 2026-03-07 | Assigner GitHub_M

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 2026.2.1

affected

References

github.com/...scotch/security/advisories/GHSA-7pfq-mwj3-xw9h

github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1

cve.org (CVE-2026-30825)

nvd.nist.gov (CVE-2026-30825)

Download JSON