CVE-2026-28217 Overview
Hoppscotch, an open source API development ecosystem, contains an Insecure Direct Object Reference (IDOR) vulnerability in its GraphQL API prior to version 2026.2.0. The userCollection GraphQL query accepts an arbitrary collection ID and returns full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially secrets — to any authenticated user without verifying that the requesting user owns the collection.
Critical Impact
Any authenticated user can access sensitive API collections belonging to other users, potentially exposing authentication tokens, API keys, and other secrets stored in HTTP request headers.
Affected Products
- Hoppscotch versions prior to 2026.2.0
Discovery Timeline
- 2026-02-26 - CVE-2026-28217 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-28217
Vulnerability Analysis
This vulnerability represents a classic Insecure Direct Object Reference (IDOR) pattern in Hoppscotch's GraphQL implementation. The userCollection query endpoint fails to implement proper authorization checks, allowing any authenticated user to retrieve collection data belonging to other users simply by supplying their collection IDs.
The flaw is particularly notable because the security advisory indicates that authorization checks exist on every other operation in the same resolver — this specific query was the sole exception. The exposed collection data includes the full serialized data field, which typically contains HTTP request configurations including headers that may store sensitive authentication credentials, API keys, bearer tokens, and other secrets.
Root Cause
The root cause is a missing authorization check (CWE-862) in the userCollection GraphQL query resolver. While other operations in the same resolver properly validate that the requesting user owns the requested resource, this particular query only requires the user to be authenticated — it does not verify ownership of the collection being accessed. This gap in the authorization logic creates a horizontal privilege escalation scenario where authenticated users can access data belonging to other users at the same privilege level.
Attack Vector
The attack is network-based and requires only low-level authentication. An attacker would need valid credentials to authenticate with the Hoppscotch instance, but would not require any special privileges beyond basic user access.
The exploitation path involves the following sequence:
- The attacker authenticates to the Hoppscotch application with a valid user account
- The attacker enumerates or guesses collection IDs (which may be predictable or sequential)
- The attacker sends GraphQL queries to the userCollection endpoint with target collection IDs
- The server returns full collection data without validating ownership
- The attacker extracts sensitive information from the returned data field, including HTTP headers containing authentication secrets
This attack is particularly effective because the response includes complete request configurations that users have saved, which commonly contain API keys, bearer tokens, and other authentication mechanisms for third-party services.
Detection Methods for CVE-2026-28217
Indicators of Compromise
- Unusual volume of userCollection GraphQL queries from a single authenticated user
- Sequential or enumerated collection ID patterns in query parameters from non-administrative users
- Access logs showing users querying collection IDs they do not own
- Anomalous data access patterns where users retrieve many collections in rapid succession
Detection Strategies
- Implement GraphQL query logging to capture all userCollection requests with associated user context
- Monitor for users accessing collection IDs outside their normal usage patterns
- Alert on bulk collection queries that exceed typical user behavior thresholds
- Review authentication logs for accounts that may have been compromised and used for data harvesting
Monitoring Recommendations
- Enable detailed audit logging for all GraphQL API operations
- Configure alerts for anomalous access patterns to collection resources
- Implement rate limiting on GraphQL queries to slow potential enumeration attacks
- Establish baseline metrics for normal userCollection query patterns to detect deviations
How to Mitigate CVE-2026-28217
Immediate Actions Required
- Upgrade Hoppscotch to version 2026.2.0 or later immediately
- Audit access logs for any signs of exploitation prior to patching
- Rotate any API keys, tokens, or secrets that may have been stored in Hoppscotch collections
- Review user account activity for signs of unauthorized data access
Patch Information
Hoppscotch version 2026.2.0 addresses this vulnerability by implementing proper authorization checks on the userCollection GraphQL query. The fix ensures that the resolver validates collection ownership before returning data, aligning this query with the authorization model used by other operations in the same resolver.
For more details, see the Hoppscotch Release 2026.2.0 and the GitHub Security Advisory GHSA-m5pg-r4jp-qq75.
Workarounds
- Restrict network access to Hoppscotch instances to trusted users only until patching is complete
- Implement additional authentication layers (VPN, network segmentation) to limit potential attackers
- Disable or restrict access to the GraphQL API if not operationally required
- Consider temporarily removing sensitive data from collections until the patch is applied
- Monitor GraphQL query logs closely for any suspicious activity targeting userCollection
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
