Hoppscotch Insecure Direct Object Reference Vulnerability in GraphQL userCollection Query Allows Unauthorized Access to Private Data

A vulnerability exists in Hoppscotch prior to version 2026.2.0, specifically within the GraphQL userCollection query. This query allows any authenticated user to access full collection data, including titles, types, and serialized HTTP requests with headers and potentially sensitive information, such as secrets. The vulnerability arises from a missing authorization check, enabling Insecure Direct Object Reference (IDOR) exploitation. While other operations in the same resolver include ownership verification, the userCollection query does not, leading to unauthorized data access.

Impact

Exploitation of this vulnerability allows any authenticated user to read private collections belonging to other users, potentially leading to unauthorized access to sensitive information such as API keys, authorization tokens, and other secrets stored in collection data. Additionally, the vulnerability allows traversal of the entire collection hierarchy of the victim, accessing all related collection data.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GraphQL request to the userCollection query, including a collection ID that does not belong to them. The request will return the full collection data, including sensitive information from the data field, such as HTTP requests and headers. This vulnerability can also be exploited by traversing the collection tree of the victim, accessing additional collection data that lacks ownership checks.

Remediation

Users can upgrade to Hoppscotch version 2026.2.0 or later, where this vulnerability has been fixed. After upgrading, self-hosted users should run the latest database migrations.