CVE-2026-50160
Hoppscotch · Hoppscotch
An unauthenticated mass assignment vulnerability in the Hoppscotch backend allows attackers to overwrite critical configuration secrets and forge administrative JWT tokens.
Executive summary
A critical mass assignment vulnerability in Hoppscotch allows unauthenticated attackers to compromise the entire server by overwriting sensitive configuration secrets.
Vulnerability
This vulnerability stems from an insecurely configured NestJS ValidationPipe that fails to whitelist request body properties. An unauthenticated attacker can manipulate the onboarding endpoint to inject and overwrite critical database entries, including JWT and SESSION secrets.
Business impact
The exploitation of this flaw leads to a complete compromise of the Hoppscotch instance, granting the attacker the ability to forge tokens for any user, including administrative accounts. With a CVSS score of 10.0, this represents the highest level of risk, leading to total unauthorized control over the API development ecosystem, potential exfiltration of sensitive API keys, and full loss of system integrity.
Remediation
Immediate Action: Upgrade the Hoppscotch backend to version 2026.5.0 or later immediately to apply the necessary validation whitelisting.
Proactive Monitoring: Monitor database audit logs for unauthorized changes to infrastructure configuration settings and review access logs for suspicious activity on the /v1/onboarding/config endpoint.
Compensating Controls: Implement strict network-level access controls to ensure the onboarding endpoint is not exposed to the public internet until the update is applied.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this vulnerability and the potential for full server takeover, immediate patching is mandatory. Organizations must prioritize updating their Hoppscotch deployments to version 2026.5.0 and perform a security audit of current environment variables to ensure no secrets have already been tampered with.