CVE-2026-44478: Information Disclosure in Hoppscotch
Platform
nodejs
Component
hoppscotch
Fixed in
2026.4.0
CVE-2026-44478 is an information disclosure vulnerability affecting Hoppscotch versions 2025.7.0 through 2026.3.9. An unauthenticated attacker can exploit this flaw to retrieve sensitive infrastructure secrets stored in plaintext. The vulnerability stems from a failure to properly restrict access to the /v1/onboarding/config endpoint when the ONBOARDINGRECOVERYTOKEN is an empty string. A patch is available in version 2026.4.0.
Impact and Attack Scenarios
The primary impact of CVE-2026-44478 is the exposure of sensitive infrastructure secrets. These secrets could include database credentials, API keys, or other configuration data critical to the operation of the Hoppscotch instance. Successful exploitation allows an attacker to gain unauthorized access to underlying systems and data, potentially leading to data breaches, service disruption, or further compromise. The plaintext nature of the exposed secrets significantly lowers the barrier to exploitation, as no complex techniques are required to extract and utilize the information. This vulnerability shares similarities with other information disclosure flaws where sensitive data is inadvertently exposed through API endpoints.
Exploitation Context
CVE-2026-44478 was published on 2026-05-13. Its severity is rated as HIGH (CVSS 7.5). There is no indication of this vulnerability being actively exploited in the wild at this time. Public proof-of-concept (POC) code is not currently available, but the ease of exploitation suggests it could be developed quickly. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-44478 is to upgrade Hoppscotch to version 2026.4.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One option is to ensure that the ONBOARDINGRECOVERYTOKEN is never an empty string in the database. Additionally, implement strict access controls on the /v1/onboarding/config endpoint, requiring authentication and authorization checks. A Web Application Firewall (WAF) could be configured to block requests to this endpoint from unauthenticated users. After upgrading, verify the fix by attempting to access the /v1/onboarding/config endpoint without authentication; the request should be denied.
How to fix
Actualice Hoppscotch a la versión 2026.4.0 o posterior para mitigar esta vulnerabilidad. La versión corregida implementa una verificación adicional para evitar la divulgación de secretos de infraestructura a usuarios no autenticados.
Frequently asked questions
What is CVE-2026-44478 — Information Disclosure in Hoppscotch?
CVE-2026-44478 is a HIGH severity vulnerability in Hoppscotch versions 2025.7.0–<2026.4.0. It allows unauthenticated users to retrieve infrastructure secrets in plaintext via the /v1/onboarding/config endpoint if the ONBOARDINGRECOVERYTOKEN is empty.
Am I affected by CVE-2026-44478 in Hoppscotch?
You are affected if you are running Hoppscotch versions 2025.7.0 through 2026.3.9 and the ONBOARDINGRECOVERYTOKEN is an empty string in your database. Upgrade to 2026.4.0 to mitigate the risk.
How do I fix CVE-2026-44478 in Hoppscotch?
Upgrade Hoppscotch to version 2026.4.0 or later. As a temporary workaround, ensure the ONBOARDINGRECOVERYTOKEN is never an empty string and implement access controls on the /v1/onboarding/config endpoint.
Is CVE-2026-44478 being actively exploited?
There is currently no public evidence of CVE-2026-44478 being actively exploited in the wild, but the ease of exploitation suggests it could be targeted.
Where can I find the official Hoppscotch advisory for CVE-2026-44478?
Refer to the Hoppscotch project's official security advisories and release notes for the most up-to-date information regarding CVE-2026-44478: https://github.com/hoppscotch/hoppscotch
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...