Hoppscotch patches unauthenticated onboarding config takeover (CVE-2026-28215)

What happened

A critical Hoppscotch vulnerability (CVE-2026-28215) was published that allows an unauthenticated attacker to overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance by sending a single HTTP POST request to POST /v1/onboarding/config without any authentication guard and without checking whether onboarding was already completed.

Who is impacted

Self-hosted Hoppscotch deployments running versions prior to 2026.2.0 are affected. The impact includes the ability to replace the instance's Google/GitHub/Microsoft OAuth application credentials (capturing OAuth tokens and email addresses for subsequent logins) and obtain a recovery token that can be used to read stored secrets in plaintext (including SMTP passwords and other configured credentials).

What to do now

• Upgrade Hoppscotch to 2026.2.0 or later.
• Treat the instance as potentially compromised if it was Internet-accessible: rotate OAuth app secrets (Google/GitHub/Microsoft), SMTP credentials, and any other secrets stored in Hoppscotch configuration.
• Review onboarding/configuration state and audit for unexpected changes to SSO or email/SMTP settings.

Additional Information

• Affected endpoint: POST /v1/onboarding/config.
• Fixed version: 2026.2.0.
• Severity (CVSS v3.1): 9.1 (CRITICAL).