CVE-2026-28216 in hoppscotch
Summary
by MITRE • 02/27/2026
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified in hoppscotch prior to version 2026.2.0 represents a critical access control flaw that undermines the security of user data within the API development ecosystem. This issue stems from inadequate authorization checks in the GraphQL resolver functions responsible for managing user environments, specifically affecting the updateUserEnvironment and deleteUserEnvironment mutations. The flaw exists in the user-environments.resolver.ts file at lines 82-109 where the system fails to properly authenticate user identity before executing operations on sensitive data. The absence of proper user context validation creates an opportunity for privilege escalation and data compromise that directly violates fundamental security principles of least privilege and proper access control.
The technical implementation of this vulnerability demonstrates a clear failure in the GraphQL authentication guard implementation. While the updateUserEnvironment mutation correctly applies the UseGuards(GqlAuthGuard) decorator, it completely omits the GqlUser() decorator necessary to extract the authenticated user's identity from the request context. This oversight means that the service layer receives only the environment ID parameter without any verification of ownership or authorization. The prisma.userEnvironment.update operation executes without any user ownership filtering, allowing any authenticated user to manipulate another user's environment data through direct API calls. Similarly, the deleteUserEnvironment function, though it does extract user information, fails to incorporate proper user validation in the deletion logic by only checking if the target environment is global rather than verifying ownership through userUid constraints. This design flaw creates a direct path for unauthorized data modification and deletion operations.
The operational impact of this vulnerability extends beyond simple data exposure to encompass complete compromise of user security configurations. User environments in hoppscotch contain sensitive information including API keys, authentication tokens, and secret credentials that are essential for making authenticated API requests. An authenticated attacker who discovers another user's environment ID can effectively assume that user's identity for API operations, potentially accessing systems that require those credentials. The CUID format of environment IDs provides only minimal protection against automated exploitation attempts, making this vulnerability particularly dangerous in insider threat scenarios or when combined with information disclosure attacks that could reveal environment identifiers. The ability to read, modify, or delete other users' environments creates a comprehensive attack surface that could lead to data breaches, unauthorized system access, and potential lateral movement within affected organizations.
Security mitigation for this vulnerability requires implementing proper user ownership validation in all environment-related operations. The fix implemented in version 2026.2.0 must ensure that every environment access operation includes explicit user identity verification and ownership checks before executing any database modifications. The updateUserEnvironment mutation should extract user context through @GqlUser() decorator and validate that the requested environment belongs to the authenticated user before proceeding with updates. Similarly, the deleteUserEnvironment function must incorporate userUid validation in the WHERE clause of deletion queries to prevent unauthorized deletions. This vulnerability aligns with CWE-285: Improper Authorization and ATT&CK technique T1078: Valid Accounts, as it enables attackers to leverage legitimate user accounts to access and manipulate unauthorized data. Organizations should implement comprehensive access control reviews, enforce proper input validation, and ensure all data access operations include appropriate authorization checks to prevent similar issues in other components of their systems.