Home / Vulnerability Intelligence / CVE-2026-28216

CVE-2026-28216 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: February 27, 2026

Hoppscotch - Broken Access Control

Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

Hoppscotch prior to 2026.2.0 contains a broken access control caused by missing ownership checks in user environment update and delete mutations, letting authenticated users read, modify, or delete other users' personal environments by ID, exploit requires user to be logged in.

Severity & Score

Severity: High

CVSS Score: 8.3

EPSS Score: 4.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can read, modify, or delete other users' API keys and secrets, risking data compromise and service disruption.

Mitigation

Update to version 2026.2.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 27, 2026

🟠 CVE-2026-28216 - High (8.3) hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation us... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28216/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28216
Severity: High
CVSS Score: 8.3
Type: broken_access_control
Status: confirmed
EPSS: 4.0%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score

4.0%Probability of exploitation in the next 30 days