6.5
CVE-2026-28217
- EPSS 0.37%
- Veröffentlicht 26.02.2026 22:38:33
- Zuletzt bearbeitet 27.02.2026 15:50:55
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hoppscotch ≫ Hoppscotch Version < 2026.2.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.285 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75