hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDINGRECOVERYTOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44478.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-284",
"CWE-287"
]
}