Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full System Takeover
A severe security flaw (CVE-2026-50160) has been discovered in the self-hosted Hoppscotch backend, allowing unauthenticated attackers to overwrite sensitive configuration values including the JWT signing secret and gain full administrative control of affected instances. The vulnerability, detailed in GitHub advisory GHSA-j542-4rch-8hwf, impacts all versions up to 2026.4.1 and has been patched in 2026.5.0. With a CVSS score of 10.0, the flaw is trivial to exploit and poses a catastrophic risk.
Root Cause & Exploitation
The vulnerability stems from a mass assignment flaw in the POST /v1/onboarding/config endpoint, which is accessible without authentication during the initial setup phase (when no users exist). The endpoint, designed to configure onboarding parameters like SMTP and OAuth settings, lacks proper input validation, allowing attackers to inject arbitrary configuration keys.
The issue arises from the misuse of NestJS ValidationPipe without the allowlist option enabled, permitting unfiltered request data to bypass validation. Sensitive keys like JWT_SECRET and SESSION_SECRET valid internal enum values can be overwritten, as the validateEnvValues logic fails to reject unauthorized entries.
Attack Chain & Impact
A successful exploit requires just a single crafted HTTP request. Attackers can:
- Overwrite JWT_SECRET, enabling token forgery for any user (including admins).
- Bypass JwtAuthGuard protections, granting unrestricted access to sensitive data and API keys.
- Hijack sessions by modifying SESSION_SECRET, invalidating legitimate user sessions.
- Maintain persistent access even after credential resets.
The flaw is particularly dangerous for newly deployed instances exposed to the internet before onboarding is complete, creating a high-risk window for automated or opportunistic attacks.
Proof-of-Concept Exploitation
A basic exploit involves:
- Checking onboarding status via
GET /v1/onboarding/status. - Sending a malicious POST request to overwrite secrets:
{ "JWT_SECRET": "ATTACKER_CONTROLLED_VALUE", "SESSION_SECRET": "ATTACKER_CONTROLLED_VALUE" } - Verifying compromise by querying the database for stored secrets.
Mitigation & Remediation
The advisory recommends:
- Immediate upgrade to Hoppscotch 2026.5.0 or later.
- Enabling
whitelist: truein ValidationPipe to strip unknown fields. - Strict allowlisting of configuration keys and explicit validation for sensitive parameters.
- Enforcing authentication or one-time setup tokens for onboarding endpoints.
The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), a common but critical flaw in modern API frameworks. Unpatched instances remain critically vulnerable to remote compromise with no user interaction required.
Source: https://gbhackers.com/critical-hoppscotch-vulnerability/
Hoppscotch TPRM report: https://www.rankiteo.com/company/hoppscotch
"id": "hop1782735948",
"linkid": "hoppscotch",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of self-hosted Hoppscotch '
'instances (versions up to '
'2026.4.1)',
'industry': 'Technology (API Development Tools)',
'name': 'Hoppscotch',
'type': 'Software Provider'}],
'attack_vector': 'Network',
'data_breach': {'sensitivity_of_data': 'High (administrative access, '
'authentication tokens)',
'type_of_data_compromised': 'Configuration secrets '
'(JWT_SECRET, SESSION_SECRET), '
'API keys, user sessions'},
'description': 'A severe security flaw (CVE-2026-50160) has been discovered '
'in the self-hosted Hoppscotch backend, allowing '
'unauthenticated attackers to overwrite sensitive '
'configuration values including the JWT signing secret and '
'gain full administrative control of affected instances. The '
'vulnerability impacts all versions up to 2026.4.1 and has '
'been patched in 2026.5.0. With a CVSS score of 10.0, the flaw '
'is trivial to exploit and poses a catastrophic risk.',
'impact': {'brand_reputation_impact': 'High (critical vulnerability with CVSS '
'10.0)',
'data_compromised': 'Sensitive configuration values (JWT_SECRET, '
'SESSION_SECRET), API keys, user sessions, '
'administrative access',
'identity_theft_risk': 'High (token forgery, session hijacking)',
'operational_impact': 'Full administrative control of affected '
'instances, unauthorized access to sensitive '
'data, session hijacking',
'systems_affected': 'Self-hosted Hoppscotch backend instances '
'(versions up to 2026.4.1)'},
'initial_access_broker': {'entry_point': 'POST /v1/onboarding/config endpoint '
'(unauthenticated during initial '
'setup)'},
'lessons_learned': 'Importance of input validation in API endpoints, '
'especially during initial setup phases. Need for strict '
'allowlisting of configuration keys and explicit '
'validation for sensitive parameters.',
'post_incident_analysis': {'corrective_actions': 'Patch released in '
'Hoppscotch 2026.5.0, '
'enabling `whitelist: true` '
'in ValidationPipe, strict '
'allowlisting of '
'configuration keys, and '
'explicit validation for '
'sensitive parameters',
'root_causes': 'Mass assignment flaw in POST '
'/v1/onboarding/config endpoint due '
'to misuse of NestJS ValidationPipe '
'without `allowlist` option '
'enabled, allowing unfiltered '
'request data to bypass validation '
'and overwrite sensitive '
'configuration keys like JWT_SECRET '
'and SESSION_SECRET'},
'recommendations': ['Upgrade to Hoppscotch 2026.5.0 or later immediately',
'Enable `whitelist: true` in ValidationPipe to strip '
'unknown fields',
'Implement strict allowlisting of configuration keys',
'Enforce authentication or one-time setup tokens for '
'onboarding endpoints',
'Monitor for unauthorized access or configuration '
'changes'],
'references': [{'source': 'GitHub Advisory', 'url': 'GHSA-j542-4rch-8hwf'}],
'response': {'containment_measures': 'Immediate upgrade to Hoppscotch '
'2026.5.0 or later',
'remediation_measures': 'Enable `whitelist: true` in '
'ValidationPipe, strict allowlisting of '
'configuration keys, explicit validation '
'for sensitive parameters, enforce '
'authentication or one-time setup tokens '
'for onboarding endpoints'},
'title': 'Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full '
'System Takeover',
'type': 'Mass Assignment Vulnerability',
'vulnerability_exploited': 'CVE-2026-50160 (GHSA-j542-4rch-8hwf)'}