Hoppscotch Community Edition

v2026.5.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 6d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

api api-client api-rest api-testing developer-tools graphql

+11 more

http http-client pwa rest spa testing testing-tools tools vue vuejs websocket

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 6d

The release adds proxy configuration via environment variables and admin dashboard while fixing secret leakage in backend processing.

Why it matters: Patching dependency chain v2026.5.0 resolves high‑severity (85) security vulnerabilities; preventing mass assignment blocks unauthorized data writes, critical for onboarding integrity.

Summary

AI summary

Updates fix, common, and feat across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevent mass assignment in onboarding to avoid unauthorized data writes. Prevent mass assignment in onboarding to avoid unauthorized data writes. Source: llm_adapter@2026-05-28 Confidence: high	—
Security	High	Patch dependency chain `v2026.5.0` for security vulnerabilities. Patch dependency chain `v2026.5.0` for security vulnerabilities. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature
Feature	Medium	Add zoom level control in Desktop App settings. Add zoom level control in Desktop App settings. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Make proxy URL configurable via environment variables and admin dashboard. Make proxy URL configurable via environment variables and admin dashboard. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Add OpenAPI 3.1 collection export capability. Add OpenAPI 3.1 collection export capability. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix
Bugfix	Medium	Stop secret variable values from leaking to the backend. Stop secret variable values from leaking to the backend. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Wait for proxy settings before issuing requests to avoid mis‑routing. Wait for proxy settings before issuing requests to avoid mis‑routing. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Preserve collection tree on OpenAPI re‑import to maintain structure. Preserve collection tree on OpenAPI re‑import to maintain structure. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

This release adds OpenAPI 3.1 collection export, zoom level controls in the Desktop App, and configurable proxy URLs from environment variables and the admin dashboard, alongside security patches and bug fixes.

What's Changed

fix(security): prevent mass assignment in onboarding by @nahidhasan94 in https://github.com/hoppscotch/hoppscotch/pull/6171
fix: class validator decorator usages by @mirarifhasan in https://github.com/hoppscotch/hoppscotch/pull/6293
chore: security patch for the dependency chain v2026.5.0 by @mirarifhasan in https://github.com/hoppscotch/hoppscotch/pull/6338
fix: stop secret variable values from leaking to backend by @nivedin in https://github.com/hoppscotch/hoppscotch/pull/6279
fix(common): wait for proxy settings before issuing requests by @anwarulislam in https://github.com/hoppscotch/hoppscotch/pull/6333
feat: make proxy URL configurable from env and admin dashboard by @mirarifhasan in https://github.com/hoppscotch/hoppscotch/pull/6336
feat(desktop): zoom level control in settings by @CuriousCorrelation in https://github.com/hoppscotch/hoppscotch/pull/6358
feat(common): add OpenAPI 3.1 collection export by @mcdgavin in https://github.com/hoppscotch/hoppscotch/pull/5880
fix(desktop): align appload types and resolve shell import alias by @CuriousCorrelation in https://github.com/hoppscotch/hoppscotch/pull/6369
fix: class validation issue for updateRESTUserRequest by @mirarifhasan in https://github.com/hoppscotch/hoppscotch/pull/6373
feat: add Mongolian translation by @cf3901646 in https://github.com/hoppscotch/hoppscotch/pull/6344
fix(common): preserve collection tree on OpenAPI re-import by @jamesgeorge007 in https://github.com/hoppscotch/hoppscotch/pull/6376

New Contributors

@mcdgavin made their first contribution in https://github.com/hoppscotch/hoppscotch/pull/5880
@cf3901646 made their first contribution in https://github.com/hoppscotch/hoppscotch/pull/6344

Full Changelog: https://github.com/hoppscotch/hoppscotch/compare/2026.4.1...2026.5.0

Security Fixes

fix(security): prevent mass assignment in onboarding
fix: stop secret variable values from leaking to backend
chore: security patch for dependency chain `v2026.5.0`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hoppscotch Community Edition

Get notified when new releases ship.

About Hoppscotch Community Edition

Fast and beautiful API request builder.

All releases →