hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LHoppscotch
APPHoppscotch< 2026.2.0
Related vulnerabilities
Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026...
Hoppscotch — Auth Bypass umożliwia przejęcie konfiguracji instancji
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulne...
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect v...
hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is...