Public February 2026
Hoppscotch GraphQL Collection Lookup Leaked Other Users’ Secrets
BugBunny.ai discovered an IDOR in Hoppscotch’s userCollection GraphQL query. Any authenticated user could request another user’s collection by ID and receive serialized request definitions that often contained API keys, bearer tokens, and other private data.
TL;DR
Authenticated users can read other users’ private API collections and the secrets stored inside them.
GraphQL userCollection queries using another user’s collection ID.
Hoppscotch self-hosted backend releases up to 2026.1.1.
Published and fixed in Hoppscotch 2026.2.0.
Root Cause
The userCollection resolver accepted a collection ID and called a service method that performed a raw lookup by that ID. Unlike neighboring operations, it never injected the authenticated user or applied the existing ownership check before returning the record.
Because the returned object included serialized request data, the issue exposed more than titles or metadata. It leaked complete collections, authorization headers, bearer tokens, and enough structure to traverse parent and child collections across the victim’s workspace.
Product
Hoppscotch
Affected
<= 2026.1.1
Patched
2026.2.0
Weaknesses
CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
Mitigation
- Upgrade Hoppscotch to version 2026.2.0 or later.
- Require ownership validation in the resolver or service layer before returning any collection data.
- Review related field resolvers such as parent and children accessors for consistent authorization checks.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-m5pg-r4jp-qq75 after coordinated disclosure with the Hoppscotch maintainers.