CVE-2026-28216 Overview
CVE-2026-28216 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Hoppscotch, an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify, or delete another user's personal environment by ID due to missing ownership validation in the GraphQL resolvers.
The vulnerability stems from improper access control in the user-environments.resolver.ts file. The updateUserEnvironment mutation uses @UseGuards(GqlAuthGuard) but is missing the @GqlUser() decorator entirely, meaning the user's identity is never extracted. The service receives only the environment ID and performs a prisma.userEnvironment.update({ where: { id } }) without any ownership filter. Similarly, deleteUserEnvironment extracts the user but the service only uses the UID to check if the target is a global environment—the actual delete query uses WHERE { id } without AND userUid.
Critical Impact
Hoppscotch environments store API keys, auth tokens, and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values, or delete them entirely. While the CUID format limits mass exploitation, insider threat and combined information leak scenarios are realistic attack vectors.
Affected Products
- Hoppscotch versions prior to 2026.2.0
- Self-hosted Hoppscotch instances running vulnerable versions
- Hoppscotch SaaS deployments prior to the patch
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-28216 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-28216
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), a form of broken access control where an application uses user-supplied input to directly access objects without proper authorization checks.
The fundamental issue lies in how the Hoppscotch GraphQL API handles user environment operations. The application implements authentication via GqlAuthGuard to ensure requests come from logged-in users, but fails to implement proper authorization to verify that the authenticated user actually owns the resource they're attempting to access.
In the updateUserEnvironment mutation, the decorator chain only includes @UseGuards(GqlAuthGuard) without the corresponding @GqlUser() decorator. This means while the system verifies a user is authenticated, it never extracts or validates their identity against the target environment's ownership. The subsequent Prisma query operates solely on the provided environment ID with no ownership constraint.
The deleteUserEnvironment mutation presents a slightly different pattern—it does extract the user identity but only uses it to determine if the target is a global environment. The critical delete operation proceeds with a simple ID-based WHERE clause, bypassing ownership verification entirely.
Root Cause
The root cause is missing authorization checks in the GraphQL resolver layer. Specifically:
- The updateUserEnvironment mutation omits the @GqlUser() decorator, preventing user context from being available during the update operation
- The deleteUserEnvironment mutation has inconsistent authorization logic—extracting user identity but not applying it to the ownership check in the delete query
- Both operations rely solely on object IDs without enforcing that the authenticated user owns the target environment
This represents a classic IDOR vulnerability where the application trusts user-supplied identifiers without validating access permissions.
Attack Vector
The attack requires network access and low-privileged authentication. An attacker must:
- Register or compromise a valid Hoppscotch user account
- Obtain a target user's environment ID (through information disclosure, social engineering, or brute-force enumeration of CUID values)
- Craft GraphQL mutations targeting the updateUserEnvironment or deleteUserEnvironment resolvers with the victim's environment ID
- Execute the mutation to read, modify, or delete the victim's environment data
The vulnerability affects confidentiality and integrity significantly, as environments typically contain sensitive API credentials, authentication tokens, and secrets. The CUID format provides some protection against blind enumeration attacks, but insider threats and targeted attacks remain viable.
Detection Methods for CVE-2026-28216
Indicators of Compromise
- Unusual GraphQL mutation activity targeting updateUserEnvironment or deleteUserEnvironment from authenticated sessions
- Access logs showing environment operations where the requesting user does not own the target environment
- Unexpected modifications or deletions of user environment configurations
- Users reporting missing or altered API credentials in their Hoppscotch environments
Detection Strategies
- Implement audit logging for all user environment CRUD operations, capturing both the authenticated user and target environment ownership
- Monitor GraphQL query patterns for suspicious access to environment IDs not associated with the requesting user
- Deploy anomaly detection to identify users accessing unusually high numbers of environment endpoints
- Review application logs for environment modification events that cross user boundaries
Monitoring Recommendations
- Enable detailed request logging for the GraphQL API endpoint, particularly for mutation operations
- Set up alerts for environment modification events occurring outside normal user activity patterns
- Implement rate limiting on environment-related GraphQL mutations to slow potential enumeration attempts
- Conduct periodic access control audits to verify environment ownership constraints are enforced
How to Mitigate CVE-2026-28216
Immediate Actions Required
- Upgrade Hoppscotch to version 2026.2.0 or later immediately
- Audit existing environment data for unauthorized modifications if you suspect exploitation
- Review access logs for suspicious environment operations prior to patching
- Rotate any sensitive API keys, tokens, or secrets stored in Hoppscotch environments as a precaution
Patch Information
The vulnerability is fixed in Hoppscotch version 2026.2.0. Organizations should upgrade to this version or later to remediate the vulnerability. Release details are available in the GitHub Release Notes. Additional technical details about the vulnerability can be found in the GitHub Security Advisory.
Workarounds
- Restrict network access to Hoppscotch instances to trusted users only until patching is complete
- Implement additional network-level access controls or Web Application Firewall (WAF) rules to monitor GraphQL mutations
- Consider temporarily disabling user environment features if the risk is deemed critical for your deployment
- Move highly sensitive credentials to external secret management solutions rather than storing them in Hoppscotch environments
# Upgrade Hoppscotch to patched version
# For self-hosted Docker deployments:
docker pull hoppscotch/hoppscotch:2026.2.0
docker-compose down && docker-compose up -d
# Verify the running version
docker exec <container_name> cat package.json | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
