Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
Published: 2026-02-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Patch
AI Analysis

Impact

A vulnerable GraphQL query in Hoppscotch allows any authenticated user to request any collection by ID and receive its full data, including confidential HTTP requests with headers that may contain secrets. This constitutes an insecure direct object reference, meaning an attacker can read other users’ private collections without authorization. The lack of an ownership check means the impact is broad, exposing sensitive request data to anyone with valid credentials, potentially compromising confidentiality of multiple users' API calls. This vulnerability is an instance of CWE‑639 and CWE‑862, reflecting an authorization bypass through user‑controlled input and a missing authorization check, respectively.

Affected Systems

Hoppscotch, version prior to 2026.2.0, which is the open‑source API development ecosystem. The vulnerability exists in the GraphQL resolver that handles the userCollection query; any installation of the affected version of Hoppscotch is at risk.

Risk and Exploitability

The CVSS v3 score of 6.5 reflects moderate severity, but the EPSS score of less than 1% indicates that exploitation is unlikely at present. The vulnerability is not in the CISA KEV catalog. An attacker only needs to authenticate to the application; if they can inject a request with any collection ID, they will receive full data. No additional privileges are required beyond an authenticated session, making it relatively easy to exploit for any user with access.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Hoppscotch 2026.2.0 or later, which removes the missing authorization check on the userCollection query.
  • Verify that the GraphQL schema is constrained so that queries for collection IDs validate ownership before returning data.
  • Regularly audit permissions associated with GraphQL resolvers to prevent accidental exposure of private resources.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
CPEs cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
Title IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:42:07.857Z

Reserved: 2026-02-25T15:28:40.649Z

Link: CVE-2026-28217

cve-icon Vulnrichment

Updated: 2026-02-27T18:42:00.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.263

Modified: 2026-02-27T15:50:55.187

Link: CVE-2026-28217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses