CVE-2026-28216

HighPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0002 6.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28216 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Hoppscotch Hoppscotch. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Requires systems to enforce approved authorizations for access to resources, directly addressing the missing ownership checks in GraphQL resolvers and Prisma queries that allowed unauthorized read, modify, or delete of user environments.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, correction, and verification of flaws like this authorization bypass vulnerability, ensuring timely patching as done in version 2026.2.0.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict access to only necessary resources, limiting the blast radius of authorization bypasses on sensitive environment data containing API keys and secrets.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Authz bypass (IDOR) in public-facing Hoppscotch GraphQL API directly enables T1190 exploitation; missing ownership checks allow any authenticated user to read/modify/delete other users' environments containing API keys, tokens and secrets, enabling T1528 and T1552 credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's…

identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.

Deeper analysisAI

CVE-2026-28216 is an authorization bypass vulnerability (CWE-639) in hoppscotch, an open source API development ecosystem. Prior to version 2026.2.0, the issue affects the GraphQL resolvers in `user-environments.resolver.ts` (lines 82-109), where the `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but lacks the `@GqlUser()` decorator, preventing user identity extraction. This results in Prisma queries like `prisma.userEnvironment.update({ where: { id } })` without ownership filters. Similarly, `deleteUserEnvironment` checks user ID only for global environments but omits it from the actual delete query's WHERE clause, enabling any logged-in user to read, modify, or delete another user's personal environment by its ID.

An authenticated attacker with network access (AV:N) can exploit this low-complexity vulnerability (AC:L, UI:N) by obtaining a target user's environment ID, which follows the CUID format and limits mass scanning but enables targeted insider threats or info-leak combinations. Successful exploitation grants high confidentiality and integrity impacts (C:H, I:H) with low availability impact (A:L), allowing the attacker to read sensitive data like API keys, auth tokens, and secrets stored in environments, replace them with malicious values, or delete them entirely, potentially compromising API requests or downstream systems.

The hoppscotch release notes for version 2026.2.0 and the associated GitHub security advisory (GHSA-72rv-vc3j-5vqr) confirm the fix addresses the missing ownership checks in the affected mutations. Security practitioners should upgrade to version 2026.2.0 or later to mitigate the issue, as scored at CVSS 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).