CVE-2026-28216— hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment

hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

通过用户控制密钥绕过授权机制

Hoppscotch 安全漏洞

Hoppscotch是Hoppscotch开源的一个开源 Api 开发生态系统。 Hoppscotch 2026.2.0之前版本存在安全漏洞，该漏洞源于已登录用户可通过ID读取、修改或删除其他用户的个人环境，可能导致API密钥和令牌泄露。

N/A

N/A