CVE-2026-30825 PUBLISHED

hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token

Assigner: GitHub_M
Reserved: 05.03.2026 Published: 07.03.2026 Updated: 07.03.2026

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS Score: 0

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	hoppscotch
Product	hoppscotch
Versions	Version < 2026.2.1 is affected

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.1

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE