VYPR
Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 27, 2026

IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

CVE-2026-28217

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.

Affected products

2
  • Hoppscotch/Hoppscotchllm-fuzzy2 versions
    <2026.2.0+ 1 more
    • (no CPE)range: <2026.2.0
    • (no CPE)range: < 2026.2.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.