Hoppscotch: Insecure Default Configuration Allows Public Exposure of Private Collection Data via Mock Server
Summary
| CVE | CVE-2026-59720 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 18:16:57 UTC |
| Updated | 2026-07-09 19:17:08 UTC |
| Description | Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types: CWE-200 | CWE-284 | CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | CWE-284 CWE-284: Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Hoppscotch | Hoppscotch | affected < 2026.6.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/hoppscotch/hoppscotch/pull/6410 | [email protected] | github.com | |
| github.com/hoppscotch/hoppscotch/commit/e4332110d455a3012d5c77a9186bc4aa... | [email protected] | github.com | |
| github.com/hoppscotch/hoppscotch/security/advisories/GHSA-c68f-wr5p-j6jf | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| github.com/hoppscotch/hoppscotch/releases/tag/2026.6.0 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.