Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections
Vulnerability Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
授权机制缺失
Vulnerability Title
Hoppscotch 安全漏洞
Vulnerability Description
Hoppscotch是Hoppscotch开源的一个开源 Api 开发生态系统。 Hoppscotch 2026.2.0之前版本存在安全漏洞,该漏洞源于userCollection GraphQL查询缺少授权检查,可能导致不安全的直接对象引用和信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A