CVE-2026-28217

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-28217
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28217.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28217
Aliases
  • GHSA-m5pg-r4jp-qq75
Published
2026-02-26T22:38:33.854Z
Modified
2026-04-10T05:37:39.740574Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections
Details

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28217.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/hoppscotch/hoppscotch

Affected ranges

Type
GIT
Repo
https://github.com/hoppscotch/hoppscotch
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1119a2209cc31f207138c424ff74a0cfc5951d1b

Affected versions

2023.*
2023.12.0
2023.12.1
2023.12.2
2023.12.3
2023.4.0
2023.4.1
2023.4.2
2023.4.3
2023.4.4
2023.4.5
2023.8.0
2023.8.1
2023.8.2
2024.*
2024.10.0
2024.10.1
2024.11.0
2024.12.0
2024.12.1
2024.12.2
2024.3.0
2024.3.1
2024.3.2
2024.3.3
2024.6.0
2024.7.0
2024.7.1
2024.8.0
2024.8.1
2024.8.2
2024.8.3
2024.9.0
2024.9.1
2024.9.2
2025.*
2025.1.0
2025.1.1
2025.10.0
2025.10.1
2025.11.0
2025.11.1
2025.11.2
2025.12.0
2025.12.1
2025.2.0
2025.2.1
2025.3.0
2025.3.1
2025.3.2
2025.4.0
2025.5.0
2025.5.1
2025.6.0
2025.6.1
2025.7.0
2025.7.1
2025.8.0
2025.8.1
2025.9.0
2025.9.1
2025.9.2
2026.*
2026.1.0
2026.1.1
v0.*
v0.1.0
v1.*
v1.0.0
v1.10.0
v1.12.0
v1.5.0
v1.9.0
v1.9.5
v1.9.7
v1.9.9
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.2.1
v3.*
v3.0.0
v3.0.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28217.json"