Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-284cwe-287
Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

The National Vulnerability Database has detailed CVE-2026-44478, a critical vulnerability in Hoppscotch, an open-source API development ecosystem. This flaw allows unauthenticated users to retrieve all infrastructure secrets in plaintext. The issue stems from the GET /v1/onboarding/config endpoint, which continues to leak sensitive configuration data when the ONBOARDING_RECOVERY_TOKEN in the database is an empty string. This bypasses a previous fix for CVE-2026-28215.

This vulnerability, with a CVSS score of 7.5 (HIGH), exposes critical infrastructure details, presenting a severe risk to organizations utilizing affected Hoppscotch instances. Attackers can leverage this to gain deep insights into an organization’s backend systems, potentially leading to further exploitation, unauthorized access, or complete system compromise. The impact is significant, as it provides a direct path to sensitive operational data without requiring any authentication.

Defenders must prioritize patching. According to the National Vulnerability Database, this issue is resolved in Hoppscotch version 2026.4.0. Organizations should immediately upgrade to the patched version to prevent unauthenticated access to their infrastructure secrets. Additionally, review existing Hoppscotch configurations to ensure the ONBOARDING_RECOVERY_TOKEN is not empty, and audit logs for any suspicious access attempts to the /v1/onboarding/config endpoint prior to patching.

What This Means For You

  • If your organization uses Hoppscotch, you need to check your version immediately. An unauthenticated attacker can pull your infrastructure secrets in plaintext via CVE-2026-44478. Patch to version 2026.4.0 or higher right now and verify your ONBOARDING_RECOVERY_TOKEN is not empty.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Web Application Cookies Credential Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44478: Unauthenticated Hoppscotch Onboarding Config Leak

Sigma YAML — free preview 
title: CVE-2026-44478: Unauthenticated Hoppscotch Onboarding Config Leak
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  Detects unauthenticated access to the GET /v1/onboarding/config endpoint in Hoppscotch. This endpoint leaks infrastructure secrets when the ONBOARDING_RECOVERY_TOKEN is an empty string, as described in CVE-2026-44478. This is a critical vulnerability allowing unauthenticated attackers to retrieve sensitive configuration details.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44478/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'GET'
      uri|contains:
          - '/v1/onboarding/config'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44478 Information Disclosure hoppscotch versions < 2026.4.0
CVE-2026-44478 Information Disclosure GET /v1/onboarding/config endpoint
CVE-2026-44478 Information Disclosure Unauthenticated access to infrastructure secrets
CVE-2026-44478 Information Disclosure ONBOARDING_RECOVERY_TOKEN stored as an empty string in the database

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...

vulnerabilityCVEhigh-severitycwe-59
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma

ERPNext SQL Injection (CVE-2026-44447) Exposes Sensitive Data

CVE-2026-44447 — ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma