CVE-2026-28216
Received Received - Intake
Authorization Bypass in Hoppscotch User Environment Management

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28216
EUVD
EUVD-2026-8913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hoppscotch hoppscotch to 2026.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in hoppscotch, an open source API development ecosystem, prior to version 2026.2.0. It allows any logged-in user to read, modify, or delete another user's personal environment by ID without proper ownership verification.

The issue arises because the updateUserEnvironment mutation uses authentication guards but does not extract the user's identity, so the service updates environments based only on the environment ID without checking if the user owns it.

Similarly, the deleteUserEnvironment mutation extracts the user but only uses the user ID to check if the environment is global, and deletes environments based solely on the environment ID without verifying ownership.

Since hoppscotch environments store sensitive data such as API keys, authentication tokens, and secrets, an authenticated attacker who knows another user's environment ID can access or manipulate these secrets.

The environment ID format (CUID) limits mass exploitation, but insider threats or combined information leak scenarios remain realistic. The vulnerability was fixed in version 2026.2.0.

Impact Analysis

This vulnerability can have serious impacts because it allows an authenticated attacker to access, modify, or delete another user's sensitive environment data.

  • Exposure of API keys, authentication tokens, and secrets stored in user environments.
  • Unauthorized modification of these secrets, potentially injecting malicious values.
  • Deletion of critical environment data, disrupting legitimate API requests and workflows.

Such impacts can lead to compromised accounts, unauthorized access to APIs, data breaches, and service disruptions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in hoppscotch version 2026.2.0. Immediate mitigation involves upgrading hoppscotch to version 2026.2.0 or later.

Until the upgrade is applied, restrict access to the application to trusted users only, as any authenticated user can read, modify, or delete another user's personal environment by ID.

Additionally, monitor and audit usage of environment IDs to detect any unauthorized access or modification attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart