Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
Published: 2026-02-26
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Direct Object Reference enabling unauthorized access to personal environments and secrets
Action: Patch ASAP
AI Analysis

Impact

An Insecure Direct Object Reference exists in Hoppscotch's updateUserEnvironment and deleteUserEnvironment mutations. The code fails to enforce ownership checks, allowing any authenticated user to read, modify or delete another user's personal environment by providing its ID. The vulnerable code performs an update or delete query that filters only on the environment ID, not on the user identifier, thereby exposing API keys, authentication tokens and other secrets stored in user environments.

Affected Systems

The affected vendor is Hoppscotch, the open‑source API development ecosystem. All releases older than 2026.2.0 are vulnerable; the issue is resolved starting with release 2026.2.0. Users who have installed any pre‑2026.2.0 version are at risk.

Risk and Exploitability

The CVSS base score is 8.3, indicating high severity. The EPSS score is below 1 %, implying that exploitation is expected to be rare, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires only an authenticated account and an environment ID, an insider threat or a compromised account could leverage the IDOR to exfiltrate sensitive secrets. The absence of ownership filtering makes the risk perpetually available to any authenticated user who discovers or guesses the target ID.

Generated by OpenCVE AI on April 16, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hoppscotch to version 2026.2.0 or newer.
  • Implement a temporary guard that verifies the environment owner before processing update or delete requests.
  • Re‑generate and rotate all API keys and secrets stored in environments that could have been exposed prior to the upgrade.

Generated by OpenCVE AI on April 16, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
Title hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:43:16.218Z

Reserved: 2026-02-25T15:28:40.649Z

Link: CVE-2026-28216

cve-icon Vulnrichment

Updated: 2026-02-27T18:43:11.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.100

Modified: 2026-02-27T15:51:42.330

Link: CVE-2026-28216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses