{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1119a2209cc31f207138c424ff74a0cfc5951d1b" } ], "repo": "https://github.com/hoppscotch/hoppscotch", "type": "GIT" } ] } ], "aliases": [ "GHSA-m5pg-r4jp-qq75" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-862" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28217.json" }, "details": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.", "id": "CVE-2026-28217", "modified": "2026-04-01T23:09:12.350370994Z", "published": "2026-02-26T22:38:33.854Z", "references": [ { "type": "WEB", "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28217.json" }, { "type": "ADVISORY", "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28217" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections" }