Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Authenticated users can delete other users' API access tokens in Hoppscotch
CVE-2026-30825
Summary
In older versions of Hoppscotch, any authenticated user could delete another user's Personal Access Token (PAT) by knowing its ID. This means someone could lock out other users from accessing their own APIs. Update to version 2026.2.1 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| hoppscotch | hoppscotch | <= 2026.2.1 | – |
Original title
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by provi...
Original description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
nvd CVSS3.1
0.0
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026