Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
hoppscotch API Development Ecosystem Exposes Sensitive Data
CVE-2026-28217
Summary
The hoppscotch API development tool prior to version 2026.2.0 can leak sensitive data, such as API request headers and potentially secrets, to any authenticated user. This is a security risk because it allows unauthorized access to data that should be restricted. To protect your data, update to version 2026.2.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| hoppscotch | hoppscotch | <= 2026.2.0 | – |
Original title
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — inclu...
Original description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
CWE-639
Authorization Bypass Through User-Controlled Key
- https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0 Product Release Notes
- https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75 Exploit Mitigation Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026