CVE-2026-28216

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.2.0

Description hoppscotch is an API development ecosystem. Prior to version 2026.2.0, any logged-in user could read, modify, or delete another user's personal environment by ID. The issue arises from missing authorization checks in the user-environments.resolver.ts file, specifically within the updateUserEnvironment mutation, which lacks the @GqlUser() decorator. This results in the service receiving only the environment ID and performing a prisma.userEnvironment.update({ where: { id } }) without any ownership filter. The deleteUserEnvironment function also has insufficient checks, only verifying if the target is a global environment. Hoppscotch environments store API keys, auth tokens, and secrets used in API requests. An attacker could obtain another user's environment ID and potentially read, replace, or delete sensitive information. The environment ID format is CUID.

Recommendations Update hoppscotch to version 2026.2.0 or later.