CVE-2026-59721
Received Received - Intake

Path Traversal in Hoppscotch API Development Ecosystem

Vulnerability report for CVE-2026-59721, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hoppscotch hoppscotch 2026.6.0
hoppscotch hoppscotch to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59721 is a critical security vulnerability in the Hoppscotch self-hosted backend that allows an attacker with admin privileges to execute arbitrary commands as root on the backend container.

The issue arises from improper validation of the MAILER_SMTP_URL configuration parameter in the updateInfraConfigs GraphQL mutation. The validateSMTPUrl function permitted SMTP URLs containing path, query, or fragment components, which nodemailer then parsed into sendmail transport options.

An attacker can inject malicious parameters such as path and args into the SMTP URL, which nodemailer uses to spawn commands. When the backend container restarts and sends mail, these injected commands execute with root privileges.

The vulnerability was fixed in version 2026.6.0 by replacing the permissive validation with a stricter approach that only allows basic SMTP URL formats without any additional components.

Impact Analysis

This vulnerability can lead to full compromise of the backend container running Hoppscotch.

  • An attacker with admin privileges can execute arbitrary commands as root, gaining complete control over the container.
  • Sensitive data such as database credentials and encryption keys stored in the container can be accessed or stolen.
  • The attacker may move laterally to other containers on the Docker network, expanding the scope of the compromise.
  • The attack requires only one GraphQL mutation and an anonymous sign-in request, making it relatively easy to exploit if admin access is obtained.
Detection Guidance

This vulnerability can be detected by checking if the MAILER_SMTP_URL configuration contains suspicious components such as query strings, paths, or fragments that are not normally part of a valid SMTP URL. Specifically, look for parameters like sendmail=true, path=/bin/sh, or args=-c which indicate potential malicious injection.

Since the vulnerability involves the updateInfraConfigs GraphQL mutation, monitoring GraphQL mutation requests for unusual MAILER_SMTP_URL values can help detect exploitation attempts.

Suggested commands to detect suspicious SMTP URL configurations or payloads might include grepping configuration files or logs for MAILER_SMTP_URL values containing unexpected characters or components:

  • grep -r 'MAILER_SMTP_URL' /path/to/hoppscotch/config
  • grep -E 'path=|args=|sendmail=true' /path/to/hoppscotch/config
  • Monitor GraphQL mutation logs for updateInfraConfigs calls with suspicious MAILER_SMTP_URL payloads.
Mitigation Strategies

The immediate mitigation step is to upgrade Hoppscotch to version 2026.6.0 or later, where the vulnerability is fixed by stricter SMTP URL validation that rejects any URL components beyond the basic smtp(s)://[user:pass@]host[:port] format.

If upgrading immediately is not possible, manually verify and sanitize the MAILER_SMTP_URL configuration to ensure it does not contain any query strings, paths, fragments, or other suspicious components that could be used to inject commands.

Additionally, restrict admin access to trusted users only, as exploitation requires admin privileges to perform the malicious GraphQL mutation.

Restart the backend container after applying the fix or configuration changes to ensure the mailer service reloads the safe SMTP URL.

Compliance Impact

CVE-2026-59721 allows an attacker with admin privileges to execute arbitrary commands as root in the backend container, leading to full container compromise and access to sensitive data such as database credentials and encryption keys.

Such a compromise can result in unauthorized access, disclosure, or modification of sensitive personal data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations by potentially exposing sensitive data and failing to ensure data confidentiality and integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart