CVE-2026-28216
Authorization Bypass in Hoppscotch User Environment Management
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in hoppscotch, an open source API development ecosystem, prior to version 2026.2.0. It allows any logged-in user to read, modify, or delete another user's personal environment by ID without proper ownership verification.
The issue arises because the updateUserEnvironment mutation uses authentication guards but does not extract the user's identity, so the service updates environments based only on the environment ID without checking if the user owns it.
Similarly, the deleteUserEnvironment mutation extracts the user but only uses the user ID to check if the environment is global, and deletes environments based solely on the environment ID without verifying ownership.
Since hoppscotch environments store sensitive data such as API keys, authentication tokens, and secrets, an authenticated attacker who knows another user's environment ID can access or manipulate these secrets.
The environment ID format (CUID) limits mass exploitation, but insider threats or combined information leak scenarios remain realistic. The vulnerability was fixed in version 2026.2.0.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an authenticated attacker to access, modify, or delete another user's sensitive environment data.
- Exposure of API keys, authentication tokens, and secrets stored in user environments.
- Unauthorized modification of these secrets, potentially injecting malicious values.
- Deletion of critical environment data, disrupting legitimate API requests and workflows.
Such impacts can lead to compromised accounts, unauthorized access to APIs, data breaches, and service disruptions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in hoppscotch version 2026.2.0. Immediate mitigation involves upgrading hoppscotch to version 2026.2.0 or later.
Until the upgrade is applied, restrict access to the application to trusted users only, as any authenticated user can read, modify, or delete another user's personal environment by ID.
Additionally, monitor and audit usage of environment IDs to detect any unauthorized access or modification attempts.