Auth bypass in Hoppscotch

CVE-2026-30825

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verificatio…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.

Affected products

Hoppscotch — versions < 2026.2.1

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h (x_refsource_CONFIRM)
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1 (x_refsource_MISC)