CVE-2026-28217

Medium CVSS: 6.5

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.

Vendor

Hoppscotch

Product

Hoppscotch

CWE

CWE-862

Yayın Tarihi

2026-02-26 23:16:36

Güncelleme

2026-02-27 15:50:55

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-862 Hoppscotch MEDIUM Hoppscotch 2026

Referanslar

https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0 https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75

Benzer Kayıtlar

Unknown

CVE-2026-30825

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke e…

High

CVE-2026-28216

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify o…

Critical

CVE-2026-28215

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overw…