Release Notes - v2026.6.0: Desktop Cookie Persistence, Security Hardening, and Mock Server Reliability

Desktop cookie persistence, security hardening, self-hosted sync fixes, mock server reliability updates and more! 🚀

Highlights

• Desktop Cookie Persistence and Reapplication: The desktop app now preserves and reapplies cookies reliably across sessions, making authenticated workflows and multi-step testing significantly smoother.

• Ownership and Access Controls (Security): Backend APIs now enforce ownership on user history and private user fields, reducing the risk of unauthorized data access.

• Self-Hosted Version Sync Reliability: Desktop now correctly syncs the self-hosted instance version from the manifest, reducing version mismatch issues in self-hosted setups.

• Mock Server URL and Visibility Fixes: Domain-based mock server URLs now correctly append /backend when subpath access is enabled, and newly created mock servers now persist isPublic state correctly (defaulting to private).

• Improved Collection and Request Handling: OpenAPI re-import now preserves collection tree structure, inherited collection headers now resolve environment variables correctly, JSON bodies are preserved in cURL parsing, and API docs sandbox development instructions were refreshed.

• Security Hardening: This release includes backend ownership enforcement for user history and private user fields, stricter SMTP URL validation (rejecting path/query/fragment), and supply chain security patching for the v2026.6.0 dependency chain.

• Admin and Platform Improvements: Self-hosted admin now surfaces which configuration fields block saving, update request class validation was fixed, and @hoppscotch/ui was bumped to v0.2.6 across packages.

This update includes new features and important security fixes. Your data will be backed up automatically. If needed, see Downgrading and Restoring Backups.

👉 Read the full release blog