Do Son 
A critical Hoppscotch mass assignment vulnerability threatens self-hosted API deployments. The flaw, tracked as CVE-2026-50160, allows unauthenticated users to take over instances completely.
TL;DR
Security researchers uncovered a CVSS 10 vulnerability in the Hoppscotch API development ecosystem. This Hoppscotch mass assignment issue allows attackers to overwrite critical security keys. Consequently, hackers achieve full server compromise by forging admin tokens.
Why it matters
This vulnerability exposes organizations during their initial software deployment phase. Self-hosted instances face extreme risk before administrators complete the onboarding process. The report notes, “self-hosted Hoppscotch instances are exposed to the internet during initial setup.” Thus, the window between deployment and completion leaves systems highly vulnerable.
An attacker can overwrite the session secret and JWT signing key values. Therefore, they can forge JWT tokens for any user identity without knowing their credentials. This grants them persistent administrative access. Even if the legitimate admin resets their credentials, the attacker retains control over the signing key. They hold this access until the deployment is fully torn down.
Furthermore, intruders can exfiltrate all stored workspaces, API keys, and team data using authenticated GraphQL queries. Attackers can also inject other keys to weaken password hashing. They can even overwrite OAuth app secrets for Google, GitHub, and Microsoft integrations.
How the attack works
The attack targets the onboarding configuration endpoint. This endpoint accepts unauthenticated requests while the user count remains at zero. The application uses a validation pipe configuration. However, it fails to implement the strict whitelist rule. It does not strip extra properties from incoming requests.
Consequently, attackers can inject arbitrary configuration keys into the database via mass assignment. The service layer iterates through all provided keys without any restriction. It casts the keys directly without performing runtime checks. Since the application lacks explicit validation cases for security keys, the database silently accepts the malicious input. The switch statement simply falls through to a default break.
Attackers send a specially crafted JSON payload containing the malicious keys alongside legitimate onboarding fields. The server saves these keys and immediately grants the attacker total control.
Affected versions
This severe vulnerability impacts Hoppscotch deployments running version 2026.4.1 and older. The risk strictly applies to newly installed instances where onboarding remains incomplete. Security teams have not confirmed active exploitation in the wild. However, a live proof-of-concept exists.
Patch or mitigation steps
Administrators must secure their instances immediately. You should upgrade to Hoppscotch version 2026.5.0 to resolve this issue. The developers patched the endpoint by enforcing strict validation rules. You can find more details in the official security advisory. Also, teams should complete the onboarding setup immediately after deploying new instances. This action changes the user count and disables the vulnerable endpoint entirely.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
