VYPR
Unrated severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token

CVE-2026-30825

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

Affected products

2
  • Hoppscotch/Hoppscotchllm-fuzzy2 versions
    <2026.2.1+ 1 more
    • (no CPE)range: <2026.2.1
    • (no CPE)range: < 2026.2.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.