Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Admin-only infra mutation makes PR:H; network-reachable GraphQL with a straightforward payload gives AV:N/AC:L, and root command execution yields full C/I/A:H.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.
AnalysisAI
Command injection in self-hosted Hoppscotch instances prior to 2026.6.0 allows an authenticated administrator to achieve root-level code execution in the backend container. The updateInfraConfigs GraphQL mutation accepts an attacker-controlled MAILER_SMTP_URL whose path, query, or fragment is parsed by nodemailer into sendmail transport options, turning SMTP configuration into arbitrary command execution once the service restarts and sends mail. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated admin account able to call the updateInfraConfigs GraphQL mutation (CVSS PR:H), so this is not exploitable by anonymous users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable, low-complexity, no user interaction, but gated behind high privileges (PR:H), namely an existing admin account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Hoppscotch admin access (via credential theft, a rogue administrator, or a chained flaw) submits an updateInfraConfigs GraphQL mutation setting MAILER_SMTP_URL to a crafted value whose fragment or query embeds sendmail transport options pointing at an arbitrary command. After the backend restarts and the next email is dispatched, nodemailer executes the injected command as root inside the container. … |
| Remediation | Vendor-released patch: 2026.6.0 - upgrade all self-hosted Hoppscotch backend containers to 2026.6.0 or later, which corrects validateSMTPUrl to reject path/query/fragment content that nodemailer would treat as sendmail options (fix commit 73a88c82b1b2cada26cc4b2bc095b54554242239, PR https://github.com/hoppscotch/hoppscotch/pull/6413, advisory https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-v7q6-r45w-2c6r). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Hoppscotch deployments running versions prior to 2026.6.0 and audit administrator account assignments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42653