Home / Vulnerability Intelligence / CVE-2026-28216

CVE-2026-28216 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: February 26, 2026

Hoppscotch - Broken Access Control

Published: February 26, 2026Updated: February 26, 2026Remote Exploitable

Overview

Hoppscotch prior to 2026.2.0 contains a broken access control caused by missing ownership checks in user environment update and delete mutations, letting authenticated users read, modify, or delete other users' personal environments by ID, exploit requires user to be logged in.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Authenticated attackers can read, modify, or delete other users' API keys and secrets, risking data compromise and service disruption.

Mitigation

Update to version 2026.2.0 or later.

References

https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28216
Severity: High
CVSS Score: 8.3
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L