Skip to main content

Hoppscotch CVE-2026-59720

| EUVDEUVD-2026-42654 HIGH
Information Exposure (CWE-200)
2026-07-09 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote reads of private mock data give AV:N/AC:L/PR:N/UI:N and C:H, with no integrity or availability impact (I:N/A:N) and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 19:01 EUVD
Analysis Generated
Jul 09, 2026 - 18:36 vuln.today

DescriptionCVE.org

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.

AnalysisAI

Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Hoppscotch instance
Delivery
Enumerate mock server endpoints
Exploit
Request mock URL unauthenticated
Execution
Receive data from private collection
Impact
Exfiltrate sensitive API definitions

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim operator created a mock server tied to a private collection on a Hoppscotch instance older than 2026.6.0, and that the mock server endpoint is reachable by the attacker over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent: remote, low-complexity, unauthenticated read access with high confidentiality impact and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates or guesses mock server URLs on an exposed Hoppscotch instance and requests them directly over HTTP without any credentials. Because the servers were stored as public despite belonging to private collections, the attacker receives the mocked responses and embedded API definitions, harvesting sensitive endpoint structures, sample data, and headers. …
Remediation Vendor-released patch: 2026.6.0 - upgrade Hoppscotch to version 2026.6.0 or later (https://github.com/hoppscotch/hoppscotch/releases/tag/2026.6.0), which persists the isPublic field correctly; the fix landed in PR #6410 (https://github.com/hoppscotch/hoppscotch/pull/6410) and commit e4332110d455a3012d5c77a9186bc4aa096e34f2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Hoppscotch instances to identify mock servers linked to private collections and determine whether sensitive data has been exposed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy