What is the CVSS score of CVE-2026-28216?

CVE-2026-28216 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-28216?

Yes, a public proof-of-concept exploit is available for CVE-2026-28216. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-28216?

Within 24 hours: Immediately assess if your organization uses Hoppscotch and identify all users with API environment data; restrict access to the application if possible pending remediation. Within 7 days: Monitor user activity logs for suspicious environment modifications or deletions; prepare communication plan for affected users. Within 30 days: Deploy version 2026.2.0 or later when available; conduct audit of all user environments for unauthorized changes; reset any exposed credentials.

Hoppscotch CVE-2026-28216

Q: Which versions of Hoppscotch are affected by CVE-2026-28216?

A critical access control vulnerability in Hoppscotch allows any authenticated user to read, modify, or delete other users' API environment configurations without authorization.

HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-02-26 security-advisories@github.com

Information Disclosure Hoppscotch

8.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.3 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 15:51 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 8.3

DescriptionGitHub Advisory

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. user-environments.resolver.ts:82-109, updateUserEnvironment mutation uses @UseGuards(GqlAuthGuard) but is missing the @GqlUser() decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a prisma.userEnvironment.update({ where: { id } }) without any ownership filter. deleteUserEnvironment does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.

AnalysisAI

Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs that allow any authenticated user to read, modify, or delete other users' environments without ownership validation. The affected mutations lack proper user identity verification, enabling attackers to access stored API keys, authentication tokens, and secrets contained within targeted environments. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as any logged-in user

Exploit

Send GraphQL mutation with target environment ID

Execution

Bypass ownership validation

Impact

Read, modify, or delete another user's environment