CVE-2026-28216

Q: Is Hoppscotch affected by CVE-2026-28216?

A critical access control vulnerability in Hoppscotch allows any authenticated user to read, modify, or delete other users' API environment configurations without authorization.

HIGH

2026-02-26 [email protected]

8.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 15:51 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 8.3

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.

Analysis

Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs that allow any authenticated user to read, modify, or delete other users' environments without ownership validation. The affected mutations lack proper user identity verification, enabling attackers to access stored API keys, authentication tokens, and secrets contained within targeted environments. …

Remediation

Within 24 hours: Immediately assess if your organization uses Hoppscotch and identify all users with API environment data; restrict access to the application if possible pending remediation. Within 7 days: Monitor user activity logs for suspicious environment modifications or deletions; prepare communication plan for affected users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: +20

CVE-2026-28216 vulnerability details – vuln.today

Back

CVE-2026-28216

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28216

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code