CVE-2026-28216

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0	Product Release Notes
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

History

27 Feb 2026, 15:51

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hoppscotch:hoppscotch::::::::
First Time		Hoppscotch Hoppscotch hoppscotch
References	~~() https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0 -~~	() https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0 - Product, Release Notes
References	~~() https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr -~~	() https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr - Exploit, Vendor Advisory

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) hoppscotch es un ecosistema de desarrollo de API de código abierto. Antes de la versión 2026.2.0, cualquier usuario autenticado puede leer, modificar o eliminar el entorno personal de otro usuario por ID. `user-environments.resolver.ts:82-109`, la mutación `updateUserEnvironment` utiliza `@UseGuards(GqlAuthGuard)` pero carece por completo del decorador `@GqlUser()`. La identidad del usuario nunca se extrae, por lo que el servicio recibe solo el ID del entorno y realiza una `prisma.userEnvironment.update({ where: { id } })` sin ningún filtro de propiedad. La mutación `deleteUserEnvironment` sí extrae al usuario, pero el servicio solo utiliza el UID para verificar si el objetivo es un entorno global. La consulta de eliminación real utiliza WHERE { id } sin AND userUid. Los entornos de hoppscotch almacenan claves API, tokens de autenticación y secretos utilizados en solicitudes API. Un atacante autenticado que obtiene el ID del entorno de otro usuario puede leer sus secretos, reemplazarlos con valores maliciosos o eliminarlos por completo. El formato del ID del entorno es CUID, lo que limita la explotación masiva, pero las amenazas internas y los escenarios combinados de fuga de información son realistas. La versión 2026.2.0 corrige el problema.

26 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 23:16

Updated : 2026-02-27 15:51

NVD link : CVE-2026-28216

Mitre link : CVE-2026-28216

CVE.ORG link : CVE-2026-28216

JSON object : View

Products Affected

hoppscotch

hoppscotch

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

8.3 /10