Unrated severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token

CVE-2026-30825

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

Affected products

Hoppscotch/Hoppscotchv5
Range: < 2026.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1mitrex_refsource_MISC
github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9hmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000