CVE-2026-28217 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: February 27, 2026
Hoppscotch - Broken Access Control
Overview
Hoppscotch prior to 2026.2.0 contains an insecure direct object reference caused by missing authorization check in the userCollection GraphQL query, letting authenticated users access other users' collection data, exploit requires authentication.
Severity & Score
Impact
Authenticated attackers can access other users' full collection data, including sensitive HTTP request headers and secrets.
Mitigation
Update to version 2026.2.0 or later.
References
Social Media Activity(1 post)
š° CISA KEV Catalog Updated: Federal Agencies Must Patch Exploited Flaws in Apple, Laravel, Craft CMS š¢ CISA KEV UPDATE: Actively exploited flaws in Apple visionOS (CVE-2026-28217), Laravel (CVE-2024-4671), & Craft CMS (CVE-2026-25487) added to catalog. Federal agencies must patch by April 12. All orgs urged to patch NOW! ā ļø #KEV #CISA š https://cyber.netsecops.io/articles/cisa-adds-apple-laravel-craft-cms-flaws-to-kev-catalog/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28217
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 1.3%
- Social Posts
- 1
CWE
- CWE-862
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N