Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote reads of private mock data give AV:N/AC:L/PR:N/UI:N and C:H, with no integrity or availability impact (I:N/A:N) and no scope change.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.
AnalysisAI
Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim operator created a mock server tied to a private collection on a Hoppscotch instance older than 2026.6.0, and that the mock server endpoint is reachable by the attacker over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent: remote, low-complexity, unauthenticated read access with high confidentiality impact and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates or guesses mock server URLs on an exposed Hoppscotch instance and requests them directly over HTTP without any credentials. Because the servers were stored as public despite belonging to private collections, the attacker receives the mocked responses and embedded API definitions, harvesting sensitive endpoint structures, sample data, and headers. … |
| Remediation | Vendor-released patch: 2026.6.0 - upgrade Hoppscotch to version 2026.6.0 or later (https://github.com/hoppscotch/hoppscotch/releases/tag/2026.6.0), which persists the isPublic field correctly; the fix landed in PR #6410 (https://github.com/hoppscotch/hoppscotch/pull/6410) and commit e4332110d455a3012d5c77a9186bc4aa096e34f2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Hoppscotch instances to identify mock servers linked to private collections and determine whether sensitive data has been exposed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42654