AIKIDO-2026-10463
hoppscotch-backend is vulnerable to Improper Access Control
55
Medium Risk
This Affects:
hoppscotch-backendTL;DR
Affected versions of this package are vulnerable to an authorization bypass in the moveRequest mutation. When nextRequestID is set to null, the implementation skips validation of the destination collection’s team, allowing a user with EDITOR or OWNER privileges in one team to move requests into collections belonging to another team. This results in cross-team data manipulation and unauthorized modification of resources. The fix adds validation to fetch the destination collection when nextRequestID is null and compares its teamID with the request’s teamID. The operation is rejected if the destination collection does not exist or belongs to a different team, preventing cross-team moves.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
hoppscotch-backend is vulnerable to Improper Access Control in versions 0.0.1 - 2026.2.1.
How to fix this
Upgrade the hoppscotch-backend library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant