Unrated severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token
CVE-2026-30825
Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
Affected products
2<2026.2.1+ 1 more
- (no CPE)range: <2026.2.1
- (no CPE)range: < 2026.2.1
Patches
Vulnerability mechanics
References
2- github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1mitrex_refsource_MISC
- github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.