Home / Vulnerability Intelligence / CVE-2026-28217

CVE-2026-28217 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: February 27, 2026

Hoppscotch - Broken Access Control

Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

Hoppscotch prior to 2026.2.0 contains an insecure direct object reference caused by missing authorization check in the userCollection GraphQL query, letting authenticated users access other users' collection data, exploit requires authentication.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated attackers can access other users' full collection data, including sensitive HTTP request headers and secrets.

Mitigation

Update to version 2026.2.0 or later.

References

https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28217
Severity: Medium
CVSS Score: 6.5
Type: broken_access_control
Status: confirmed

CWE

CWE-862
CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N