Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28216

CVE-2026-28216: Hoppscotch Auth Bypass Vulnerability

CVE-2026-28216 is an authentication bypass vulnerability in Hoppscotch that allows logged-in users to access, modify, or delete other users' personal environments. This post covers technical details, affected versions, and fixes.

Published:

CVE-2026-28216 Overview

CVE-2026-28216 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Hoppscotch, an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify, or delete another user's personal environment by ID due to missing ownership validation in the GraphQL resolvers.

The vulnerability stems from improper access control in the user-environments.resolver.ts file. The updateUserEnvironment mutation uses @UseGuards(GqlAuthGuard) but is missing the @GqlUser() decorator entirely, meaning the user's identity is never extracted. The service receives only the environment ID and performs a prisma.userEnvironment.update({ where: { id } }) without any ownership filter. Similarly, deleteUserEnvironment extracts the user but the service only uses the UID to check if the target is a global environment—the actual delete query uses WHERE { id } without AND userUid.

Critical Impact

Hoppscotch environments store API keys, auth tokens, and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values, or delete them entirely. While the CUID format limits mass exploitation, insider threat and combined information leak scenarios are realistic attack vectors.

Affected Products

  • Hoppscotch versions prior to 2026.2.0
  • Self-hosted Hoppscotch instances running vulnerable versions
  • Hoppscotch SaaS deployments prior to the patch

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-28216 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-28216

Vulnerability Analysis

This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), a form of broken access control where an application uses user-supplied input to directly access objects without proper authorization checks.

The fundamental issue lies in how the Hoppscotch GraphQL API handles user environment operations. The application implements authentication via GqlAuthGuard to ensure requests come from logged-in users, but fails to implement proper authorization to verify that the authenticated user actually owns the resource they're attempting to access.

In the updateUserEnvironment mutation, the decorator chain only includes @UseGuards(GqlAuthGuard) without the corresponding @GqlUser() decorator. This means while the system verifies a user is authenticated, it never extracts or validates their identity against the target environment's ownership. The subsequent Prisma query operates solely on the provided environment ID with no ownership constraint.

The deleteUserEnvironment mutation presents a slightly different pattern—it does extract the user identity but only uses it to determine if the target is a global environment. The critical delete operation proceeds with a simple ID-based WHERE clause, bypassing ownership verification entirely.

Root Cause

The root cause is missing authorization checks in the GraphQL resolver layer. Specifically:

  1. The updateUserEnvironment mutation omits the @GqlUser() decorator, preventing user context from being available during the update operation
  2. The deleteUserEnvironment mutation has inconsistent authorization logic—extracting user identity but not applying it to the ownership check in the delete query
  3. Both operations rely solely on object IDs without enforcing that the authenticated user owns the target environment

This represents a classic IDOR vulnerability where the application trusts user-supplied identifiers without validating access permissions.

Attack Vector

The attack requires network access and low-privileged authentication. An attacker must:

  1. Register or compromise a valid Hoppscotch user account
  2. Obtain a target user's environment ID (through information disclosure, social engineering, or brute-force enumeration of CUID values)
  3. Craft GraphQL mutations targeting the updateUserEnvironment or deleteUserEnvironment resolvers with the victim's environment ID
  4. Execute the mutation to read, modify, or delete the victim's environment data

The vulnerability affects confidentiality and integrity significantly, as environments typically contain sensitive API credentials, authentication tokens, and secrets. The CUID format provides some protection against blind enumeration attacks, but insider threats and targeted attacks remain viable.

Detection Methods for CVE-2026-28216

Indicators of Compromise

  • Unusual GraphQL mutation activity targeting updateUserEnvironment or deleteUserEnvironment from authenticated sessions
  • Access logs showing environment operations where the requesting user does not own the target environment
  • Unexpected modifications or deletions of user environment configurations
  • Users reporting missing or altered API credentials in their Hoppscotch environments

Detection Strategies

  • Implement audit logging for all user environment CRUD operations, capturing both the authenticated user and target environment ownership
  • Monitor GraphQL query patterns for suspicious access to environment IDs not associated with the requesting user
  • Deploy anomaly detection to identify users accessing unusually high numbers of environment endpoints
  • Review application logs for environment modification events that cross user boundaries

Monitoring Recommendations

  • Enable detailed request logging for the GraphQL API endpoint, particularly for mutation operations
  • Set up alerts for environment modification events occurring outside normal user activity patterns
  • Implement rate limiting on environment-related GraphQL mutations to slow potential enumeration attempts
  • Conduct periodic access control audits to verify environment ownership constraints are enforced

How to Mitigate CVE-2026-28216

Immediate Actions Required

  • Upgrade Hoppscotch to version 2026.2.0 or later immediately
  • Audit existing environment data for unauthorized modifications if you suspect exploitation
  • Review access logs for suspicious environment operations prior to patching
  • Rotate any sensitive API keys, tokens, or secrets stored in Hoppscotch environments as a precaution

Patch Information

The vulnerability is fixed in Hoppscotch version 2026.2.0. Organizations should upgrade to this version or later to remediate the vulnerability. Release details are available in the GitHub Release Notes. Additional technical details about the vulnerability can be found in the GitHub Security Advisory.

Workarounds

  • Restrict network access to Hoppscotch instances to trusted users only until patching is complete
  • Implement additional network-level access controls or Web Application Firewall (WAF) rules to monitor GraphQL mutations
  • Consider temporarily disabling user environment features if the risk is deemed critical for your deployment
  • Move highly sensitive credentials to external secret management solutions rather than storing them in Hoppscotch environments
bash
# Upgrade Hoppscotch to patched version
# For self-hosted Docker deployments:
docker pull hoppscotch/hoppscotch:2026.2.0
docker-compose down && docker-compose up -d

# Verify the running version
docker exec <container_name> cat package.json | grep version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne