Hoppscotch IDOR Vulnerability in User Environment Management Allows Unauthorized Access and Modification

A vulnerability in Hoppscotch's user environment management prior to version 2026.2.0 allows any logged-in user to read, modify, or delete another user's personal environment by ID. The issue arises because the 'updateUserEnvironment' mutation lacks proper user identity verification, enabling unauthorized access to sensitive environment data. Although the environment ID format limits mass exploitation, this vulnerability poses a significant risk of insider threats and information leakage.

Impact

Exploitation of this vulnerability allows an authenticated user to access, alter, or delete another user's environment data, which can include sensitive information such as API keys and authentication tokens. This could lead to unauthorized access to APIs or services that rely on these credentials.

Reproduction

To reproduce this vulnerability, two users must be on the same Hoppscotch instance. First, the victim user must confirm that their environment exists. Then, the attacker can use their access token to modify or delete the victim's environment by sending a GraphQL mutation request that includes the victim's environment ID.

Remediation

Users can upgrade to Hoppscotch version 2026.2.0 or later, where this vulnerability has been addressed.