CVE-2026-28217

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.2.0

Description The userCollection GraphQL query in hoppscotch does not verify ownership before returning collection data, including potentially sensitive information like HTTP requests and headers, to authenticated users. This is an Insecure Direct Object Reference (IDOR) issue stemming from a missing authorization check. The query accepts an arbitrary collection ID and returns the full collection data to any authenticated user, regardless of ownership.

Recommendations Update to version 2026.2.0 or later.