CVE-2026-28217 in hoppscotch
Summary
by MITRE • 02/27/2026
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2026-28217 affects hoppscotch, an open source API development ecosystem that provides tools for testing and developing REST and GraphQL APIs. This security flaw represents a critical authorization bypass issue that undermines the platform's data protection mechanisms. The vulnerability specifically impacts the `userCollection` GraphQL query functionality, which serves as a direct interface for retrieving collection data from the system's database. Prior to the remediation in version 2026.2.0, this query failed to implement proper access controls, allowing any authenticated user to retrieve complete collection information regardless of ownership status. The exposed data includes not only collection metadata such as title and type but also the serialized `data` field which contains HTTP requests with their associated headers and potentially sensitive authentication information.
The technical implementation flaw stems from an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-284, where the system directly references objects using user-supplied input without proper authorization validation. The GraphQL resolver for `userCollection` lacks the authorization checks that are consistently implemented across all other operations within the same resolver, creating an inconsistent security posture. This inconsistency allows attackers to exploit the missing authorization layer by simply providing any valid collection ID in the query parameters, bypassing the normal access control mechanisms that should verify user ownership before returning sensitive data. The vulnerability demonstrates a fundamental failure in the principle of least privilege, where the system grants access to resources beyond what should be permitted based on user credentials and role-based access controls.
The operational impact of this vulnerability extends beyond simple data exposure, as it can lead to significant security breaches within API development environments. When authenticated users can access collections they do not own, they gain access to potentially sensitive information including API keys, authentication tokens, and other confidential headers used in HTTP requests. This exposure creates risk for organizations using hoppscotch for internal API development, where collections may contain credentials for production systems, staging environments, or other sensitive infrastructure. The vulnerability also enables potential reconnaissance activities where attackers can gather information about other users' API testing activities and collection structures, potentially leading to more sophisticated attacks targeting specific endpoints or authentication mechanisms. This type of vulnerability aligns with ATT&CK technique T1528, which focuses on obtaining credentials through unauthorized access to stored credentials and sensitive information.
The remediation implemented in version 2026.2.0 addresses this vulnerability by introducing proper authorization checks within the `userCollection` GraphQL resolver. The fix ensures that the system validates whether the requesting user owns the collection before returning any data, implementing the missing authorization layer that exists for all other operations in the same resolver. This correction brings the system in line with standard security practices for GraphQL implementations and REST APIs, where proper access controls must be enforced at the data access level. Organizations using hoppscotch should immediately upgrade to version 2026.2.0 or later to mitigate this risk, and security teams should conduct thorough reviews of their API access controls to ensure similar inconsistencies do not exist in other systems. The vulnerability highlights the importance of consistent security implementation across all application interfaces and the critical need for comprehensive authorization testing in API development environments.