CVE-2026-59720
Received Received - Intake

Mock Server Public Exposure in Hoppscotch Prior to 2026.6.0

Vulnerability report for CVE-2026-59720, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hoppscotch hoppscotch to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Hoppscotch prior to version 2026.6.0 causes mock servers linked to private collections to be publicly accessible without authentication, potentially exposing sensitive API data such as API keys and user information.

This unintended public exposure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By allowing unauthorized access to private API data, the vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these regulations.

The issue was fixed in version 2026.6.0 by ensuring the `isPublic` field defaults to private unless explicitly set, thereby restoring proper access controls and helping maintain compliance with such standards.

Executive Summary

The vulnerability in Hoppscotch versions prior to 2026.6.0 involves the creation of mock servers where the 'isPublic' field is not properly persisted. Because the database schema defaults 'isPublic' to true, mock servers linked to private collections were unintentionally made publicly accessible without authentication.

This means that private API data, including sensitive information, could be exposed to unauthorized users. The root cause is that during mock server creation, the 'isPublic' input was not explicitly set, allowing the default public setting to take effect.

Impact Analysis

This vulnerability can lead to unauthorized public access to mock servers that were intended to be private. As a result, sensitive API data such as API keys, user information, and private collection responses could be exposed to anyone without authentication.

Such exposure can compromise the confidentiality of your data and potentially lead to misuse or data breaches.

Detection Guidance

This vulnerability involves mock servers in Hoppscotch being publicly accessible due to the isPublic field defaulting to true. Detection involves identifying mock servers linked to private collections that are accessible without authentication.

You can detect this by checking the accessibility of mock servers that should be private. For example, attempt to access mock server endpoints without authentication and verify if sensitive data is exposed.

Specific commands are not provided in the resources, but general approaches include:

  • Use network scanning tools (e.g., nmap) to identify open mock server ports.
  • Use curl or wget to send requests to mock server URLs and check if responses include sensitive data without authentication.
  • Review Hoppscotch mock server configurations or database entries to verify the isPublic field values.
Mitigation Strategies

The primary mitigation step is to upgrade Hoppscotch to version 2026.6.0 or later, where the vulnerability is fixed by ensuring the isPublic field defaults to false unless explicitly set.

Additionally, review existing mock servers created before the fix, as they may still be publicly accessible. Manually update their isPublic settings to false or recreate them after the upgrade.

Ensure that mock servers linked to private collections are not accessible without authentication by verifying access controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart