{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30825", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.605Z", "datePublished": "2026-03-07T05:13:13.987Z", "dateUpdated": "2026-03-09T20:42:45.007Z"}, "containers": {"cna": {"title": "hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:13:13.987Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1."}], "source": {"advisory": "GHSA-7pfq-mwj3-xw9h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T20:42:42.290769Z", "id": "CVE-2026-30825", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:42:45.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30825", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:42:42.290769Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:42:36.208Z"}}], "cna": {"title": "hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token", "source": {"advisory": "GHSA-7pfq-mwj3-xw9h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "< 2026.2.1"}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1", "name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:13:13.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30825", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:42:45.007Z", "dateReserved": "2026-03-05T21:06:44.605Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:13:13.987Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "matchCriteriaId": "29991DF9-EBE9-492D-AF0C-B1B71534FC8B", "versionEndExcluding": "2026.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1."}, {"lang": "es", "value": "hoppscotch es un ecosistema de desarrollo de API de c\u00f3digo abierto. Antes de la versi\u00f3n 2026.2.1, el endpoint DELETE /v1/access-tokens/revoke permite a cualquier usuario autenticado eliminar el PAT de cualquier otro usuario proporcionando su ID, sin verificaci\u00f3n de propiedad. Este problema ha sido parcheado en la versi\u00f3n 2026.2.1."}], "id": "CVE-2026-30825", "lastModified": "2026-03-11T19:01:34.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-07T06:16:10.343", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hoppscotch", "source": "cna", "vendor": "hoppscotch"}, "product": "hoppscotch", "vendor": "hoppscotch"}], "analysis": {"en": {"generated_at": "2026-04-18T17:27:51.474059+00:00", "value": {"mitigation_remediation": ["Upgrade hoppscotch to version 2026.2.1 or newer, which adds ownership verification to the revocation endpoint.", "Audit existing personal access tokens across all users, and regenerate or reissue tokens that were revoked without authorization or that should no longer be active.", "Enable logging and alerting for token revocation events, and use these logs to detect suspicious cross-user revocations and to notify affected users."], "summary": {"action": "Patch immediately", "impact": "Unauthorized revocation of personal access tokens"}, "threat_synthesis": {"affected_systems": "All installations of hoppscotch running any version prior to 2026.2.1 are affected. The vulnerability exists because the endpoint lacks an ownership verification step for the token being revoked.", "description_and_impact": "The flaw resides in the DELETE /v1/access-tokens/revoke endpoint of hoppscotch. When a user supplies the identifier of a personal access token (PAT), the system deletes that token without confirming that the token belongs to the calling user. This allows any authenticated user to invalidate another user\u2019s PAT, which can lock the target user out of services that depend on those tokens, thereby compromising that user\u2019s availability and potentially exposing confidential information that was accessed with the revoked token.", "risk_and_exploitability": "Although a CVSS base score is not supplied, the absence of access control elevates the risk. The EPSS score of <1% indicates a very low probability of exploitation; however, any authenticated user who wishes to sabotage another user can do so. The vulnerability is not currently listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-03-09T10:05:54.599470+00:00", "updated": "2026-04-18T17:30:05.959436+00:00", "vendors": ["hoppscotch", "hoppscotch$PRODUCT$hoppscotch"]}