Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-28217
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-26 Feb, 2026 | 23:16
Updated At-27 Feb, 2026 | 15:50

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
hoppscotch
hoppscotch
>>hoppscotch>>Versions before 2026.2.0(exclusive)
cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity-advisories@github.com
CWE-639Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-639
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0security-advisories@github.com
Product
Release Notes
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Vendor Advisory
Change History
0Changes found
Details not found