Kong · yaoweiprc · Jun 2, 2026 · May 29, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/packages/insomnia-data/node-src/database/database-nedb.ts b/packages/insomnia-data/node-src/database/database-nedb.ts
@@ -468,7 +468,7 @@ export const createNedbDatabase = <O = initOptions>(
       return docWithDefaults;
     },
 
-    /** get all ancestors of specified types of a document including the original */
+    /** get all ancestors of specified types of a document including the original, the order of the returned array is leaf to root */
     withAncestors: async function <T extends BaseModel>(doc: T | undefined, types: AllTypes[] = []) {
       if (!doc) {
         return [];

diff --git a/packages/insomnia/src/common/render.ts b/packages/insomnia/src/common/render.ts
@@ -536,6 +536,7 @@ export async function getRenderedRequestAndContext({
 }> {
   const ancestors = await getRenderContextAncestors(request);
   const workspace = ancestors.find(models.workspace.isWorkspace);
+  // requestGroups is of order leaf to root
   const requestGroups = ancestors.filter(isRequestGroup);
 
   const parentId = workspace ? workspace._id : 'n/a';

diff --git a/packages/insomnia/src/main/network/o-auth-2/get-token.ts b/packages/insomnia/src/main/network/o-auth-2/get-token.ts
@@ -341,9 +341,10 @@ async function getExistingAccessTokenAndRefreshIfExpired(
     const requestGroups = (
       await db.withAncestors<Request | RequestGroup>(activeRequest, [models.requestGroup.type])
     ).filter(isRequestGroup) as RequestGroup[];
-    const closestFolderAuth = [...requestGroups]
-      .reverse()
-      .find(({ authentication }) => getAuthObjectOrNull(authentication) && isAuthEnabled(authentication));
+    // requestGroups is of order leaf to root
+    const closestFolderAuth = requestGroups.find(
+      ({ authentication }) => getAuthObjectOrNull(authentication) && isAuthEnabled(authentication),
+    );
     const isRequestAuthEnabled =
       getAuthObjectOrNull(activeRequest?.authentication) && isAuthEnabled(activeRequest?.authentication);
     closestAuthId = isRequestAuthEnabled ? requestId : closestFolderAuth?._id || requestId;

diff --git a/packages/insomnia/src/network/__tests__/network.test.ts b/packages/insomnia/src/network/__tests__/network.test.ts
@@ -1097,6 +1097,32 @@ describe('getCurrentUrl for tough-cookie', () => {
   });
 });
 
+describe('getOrInheritAuthentication', () => {
+  it('should prefer the closest parent folder auth over higher-level folder auth', () => {
+    const request = { authentication: {} };
+    const requestGroups = [
+      { authentication: { type: 'basic', username: 'closest', password: 'closest-pass' } },
+      { authentication: { type: 'basic', username: 'root', password: 'root-pass' } },
+    ];
+
+    expect(networkUtils.getOrInheritAuthentication({ request, requestGroups })).toEqual({
+      type: 'basic',
+      username: 'closest',
+      password: 'closest-pass',
+    });
+  });
+
+  it("should stop inheritance when the closest parent folder auth is { type: 'none' }", () => {
+    const request = { authentication: {} };
+    const requestGroups = [
+      { authentication: { type: 'none' } },
+      { authentication: { type: 'basic', username: 'root', password: 'root-pass' } },
+    ];
+
+    expect(networkUtils.getOrInheritAuthentication({ request, requestGroups })).toEqual({ type: 'none' });
+  });
+});
+
 describe('getOrInheritHeaders', () => {
   it('should combine headers', () => {
     const requestGroups = [{ headers: [{ name: 'foo', value: 'bar' }] }, { headers: [{ name: 'baz', value: 'qux' }] }];

diff --git a/packages/insomnia/src/network/network.ts b/packages/insomnia/src/network/network.ts
@@ -63,6 +63,7 @@ export interface SendActionRuntime {
 
 export const getOrInheritAuthentication = ({
   request,
+  // requestGroups is supposed to be of order leaf to root
   requestGroups,
 }: {
   request: Request | WebSocketRequest | SocketIORequest;
@@ -73,9 +74,9 @@ export const getOrInheritAuthentication = ({
     return request.authentication;
   }
   const hasParentFolders = requestGroups.length > 0;
-  const closestParentFolderWithAuth = [...requestGroups]
-    .reverse()
-    .find(({ authentication }) => getAuthObjectOrNull(authentication) && isAuthEnabled(authentication));
+  const closestParentFolderWithAuth = requestGroups.find(
+    ({ authentication }) => getAuthObjectOrNull(authentication) && isAuthEnabled(authentication),
+  );
   const closestAuth = getAuthObjectOrNull(closestParentFolderWithAuth?.authentication);
   const shouldCheckFolderAuth = hasParentFolders && closestAuth;
   if (shouldCheckFolderAuth) {
@@ -95,7 +96,7 @@ export function getOrInheritHeaders({
   const httpHeaders = new Map<string, string>();
   const originalCaseMap = new Map<string, string>();
   // parent folders, then child folders, then request
-  const headerContexts = [...requestGroups.reverse(), request];
+  const headerContexts = [...requestGroups].reverse().concat(request);
   const headers = headerContexts.flatMap(({ headers }) => headers || []);
   headers.forEach(({ name, value, disabled }) => {
     if (disabled || !name.trim()) {