An unauthenticated configuration overwrite vulnerability in Hoppscotch allows attackers to hijack OAuth authentication and steal sensitive recovery tokens, leading to a total instance compromise.

This vulnerability resides in the POST /v1/onboarding/config endpoint, which lacks authentication guards and fails to verify if onboarding is complete. An unauthenticated attacker can send a single HTTP request to replace OAuth credentials and retrieve a plaintext recovery token for all stored secrets.

A successful exploit allows an attacker to intercept OAuth tokens and email addresses for all users logging in via SSO. By replacing legitimate credentials with their own, the attacker gains persistent access to user accounts and sensitive infrastructure secrets, including SMTP passwords. With a CVSS score of 9.1, this represents a critical risk to data confidentiality and system integrity.

Immediate Action: Update the self-hosted Hoppscotch instance to version 2026.2.0 or later immediately to close the vulnerable onboarding endpoint.

Proactive Monitoring: Review access logs for unauthorized POST requests to the /v1/onboarding/config endpoint and monitor for unexpected changes in OAuth provider settings.

Compensating Controls: Restrict access to the Hoppscotch management interface using network-level access control lists (ACLs) or a VPN until the update is applied.

Public Exploit Available: No

This vulnerability presents a catastrophic risk to identity management and data privacy within self-hosted environments. It is imperative that administrators apply the version 2026.2.0 patch immediately to prevent unauthorized configuration changes and SSO hijacking.