PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59720 hoppscotch CVE debrief

CVE-2026-59720 is a high-severity vulnerability in Hoppscotch, an open-source API development ecosystem. Prior to version 2026.6.0, mock server creation did not persist the isPublic input field, causing mock servers linked to private collections to be publicly accessible without authentication. This could potentially expose sensitive API data. The issue is fixed in version 2026.6.0. Security teams and developers using Hoppscotch for API development should be aware of this vulnerability and ensure they are using version 2026.6.0 or later to prevent unauthorized access to mock servers.

Vendor
hoppscotch
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Security teams and developers using Hoppscotch for API development should be aware of this vulnerability and ensure they are using version 2026.6.0 or later to prevent unauthorized access to mock servers. Additionally, operators and platform administrators responsible for managing Hoppscotch deployments should also be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

In Hoppscotch, prior to 2026.6.0, the mock server creation process in mock-server.service.ts did not properly persist the isPublic input field. By default, schema.prisma sets isPublic to true, which can lead to mock servers linked to private collections being publicly accessible without authentication. This issue has been resolved in version 2026.6.0. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.

Defensive priority

High

Recommended defensive actions

  • Inventory and update: Review and update Hoppscotch to version 2026.6.0 or later.
  • Verify mock server configurations: Ensure that mock servers are properly configured and not publicly accessible without authentication.
  • Monitor for suspicious activity: Keep an eye on mock server activity to detect any potential unauthorized access.
  • Review API documentation: Familiarize yourself with the API documentation for Hoppscotch to understand the changes introduced in version 2026.6.0.
  • Perform vulnerability scanning: Use vulnerability scanning tools to identify potential vulnerabilities in your Hoppscotch deployments.
  • Implement compensating controls: Implement compensating controls, such as firewalls or intrusion detection systems, to detect and prevent potential attacks.
  • Track exceptions: Track exceptions and retest remediated assets to ensure that the vulnerability has been properly mitigated.

Evidence notes

The CVE record was published on 2026-07-09T18:16:57.063Z and was last modified on 2026-07-10T19:15:15.780Z. The NVD entry is currently Deferred. The issue is related to Hoppscotch, an open-source API development ecosystem. The CVE record was created based on information from the vendor and may not have been fully verified or validated at the time of publication. Users should verify the details with the vendor or other sources to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T18:16:57.063Z and has not been modified since then. The NVD entry is currently Deferred.