CVE-2026-50160: Critical unauthenticated mass assignment in Hoppscotch backend
| Field | Value |
|---|---|
| CVE ID | CVE-2026-50160 |
| CVSS score | 10.0 |
| Attack vector | Network, via unauthenticated POST /v1/onboarding/config |
| Auth required | None |
| Patch status | Fixed in Hoppscotch 2026.5.0 |
TL;DR -
hoppscotch-backend2026.4.1and earlier expose an unauthenticated mass-assignment flaw during onboarding. - Attackers can overwriteJWT_SECRETandSESSION_SECRET, then forge admin tokens. - Upgrade to2026.5.0immediately and rotate secrets if the instance was exposed.
What is CVE-2026-50160?
CVE-2026-50160 is a critical vulnerability in the self-hosted Hoppscotch backend. According to the NVD description, the issue affects hoppscotch-backend version 2026.4.1 and earlier and is fixed in 2026.5.0. The flaw exists in the onboarding flow, specifically the unauthenticated endpoint POST /v1/onboarding/config.
The root cause is a mass-assignment condition. NVD states that the global NestJS ValidationPipe was configured without whitelist: true, which meant unexpected properties in the request body were not stripped before processing. Because the service layer then iterated those properties as if they were valid internal configuration values, an attacker could submit unauthorized keys such as JWT_SECRET and SESSION_SECRET. In practical terms, this lets an unauthenticated attacker seize control of authentication trust for a vulnerable instance.
Who is affected?
The affected product is the self-hosted Hoppscotch backend. The vulnerable version range is explicitly documented as 2026.4.1 and earlier. The fixed release is 2026.5.0. If you are running a self-hosted deployment and have not upgraded beyond 2026.4.1, you should assume your instance is vulnerable until proven otherwise.
Exposure depends on deployment state. The NVD description says exploitation is possible when an attacker can reach a fresh instance before onboarding completes, or when no users exist. That matters operationally: not every long-running Hoppscotch installation will present the same attack window, but internet-exposed deployments, newly provisioned systems, test environments, and instances rebuilt from automation may be especially at risk. If you do not know whether onboarding was ever reachable externally, treat that uncertainty as a reason to patch urgently and review access logs.
Why this matters operationally
This is not just a setup bug with limited impact. Overwriting JWT_SECRET gives an attacker control over the key used to sign authentication tokens. Once the signing key is attacker-controlled, they can forge JWTs for arbitrary identities, including administrative users. NVD explicitly states that this can result in full server compromise.
For defenders, the real concern is that authentication trust can be subverted without valid credentials. Even if the vulnerable window is limited to onboarding or a no-users state, successful exploitation can turn into persistent control very quickly. An attacker who forges admin tokens may be able to change configuration, access stored data, extract additional secrets, or pivot into systems integrated with the Hoppscotch deployment. If your instance handled sensitive API definitions, environment variables, or internal endpoints, the blast radius may extend beyond the application itself.
CVSS score and severity context
The reported CVSS v3.x score is 10.0, which places this flaw at the maximum critical severity. The score aligns with the described attack path: no authentication required, network reachable, low complexity if the endpoint is exposed in the right deployment state, and severe impact on confidentiality, integrity, and likely availability due to administrative takeover.
The CVSS vector was not available in the NVD summary provided here, so it should not be guessed or reconstructed without a primary source. In the absence of the vector string, defenders should still treat the score as a strong indicator of urgent patch priority. A maximum score combined with direct control over JWT_SECRET is enough to justify immediate change action even before broader exploit telemetry emerges.
Exploitation status
At the time of writing, there is no confirmed evidence in the provided primary-source material that exploitation is happening in the wild. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog based on the research note, so there is no CISA-backed confirmation of active exploitation. That said, absence from KEV is not evidence of safety; it only means public confirmation was not available from that catalog at this check.
No standalone public proof-of-concept repository was confirmed from the provided sources either. However, defenders should not take comfort from the lack of a widely circulated PoC. The vulnerable endpoint, affected conditions, and impact are described with enough specificity that reproduction is likely straightforward for capable attackers. In other words: exploitation in the wild is not confirmed, a PoC is not confirmed, but the attack path is sufficiently clear that you should assume opportunistic scanning and weaponization are plausible.
How the vulnerability works
The vulnerable endpoint is POST /v1/onboarding/config. In secure NestJS patterns, a validation layer often strips unapproved request fields before business logic sees them. Here, NVD says the global ValidationPipe was configured without whitelist: true, so extra properties were allowed to pass through.
That becomes dangerous because the backend service did not treat those extra fields as invalid junk. Instead, it iterated them as if they were valid InfraConfig entries. Since keys like JWT_SECRET and SESSION_SECRET were considered valid configuration enum values and were not explicitly rejected during validation, an unauthenticated user could supply them during onboarding. The application would then persist attacker-controlled values, effectively handing the attacker control over token signing and session trust.
Technical Notes
A simplified example of the risky request pattern, based on the NVD-described behavior, would look like this:
POST /v1/onboarding/config HTTP/1.1
Host: hoppscotch.example
Content-Type: application/json
{
"someExpectedField": "value",
"JWT_SECRET": "attacker-controlled-secret",
"SESSION_SECRET": "attacker-controlled-session-secret"
}
The implementation issue is conceptually similar to the following NestJS anti-pattern:
app.useGlobalPipes(
new ValidationPipe({
// whitelist: true is missing
transform: true
})
)
A safer pattern would explicitly strip undeclared properties:
app.useGlobalPipes(
new ValidationPipe({
whitelist: true,
forbidNonWhitelisted: true,
transform: true
})
)
What defenders should do next
First, identify every self-hosted Hoppscotch backend instance and confirm its version. Any deployment on 2026.4.1 and earlier should move to 2026.5.0 immediately. Second, determine whether POST /v1/onboarding/config was reachable from untrusted networks during initial provisioning or after rebuilds. Third, rotate JWT_SECRET and SESSION_SECRET if exposure cannot be ruled out.
Finally, improve deployment hygiene around initialization workflows. Onboarding and bootstrap endpoints are often overlooked because they are only expected to exist briefly, but they are high-value targets precisely because they can influence trust and configuration. Restrict those paths to administrator IP ranges during setup, keep staging and fresh-production builds off the public internet until initialized, and ensure input validation protections like whitelist: true are enforced consistently across all externally reachable API paths.
Detection and investigation
Detection should focus on two questions: was the onboarding endpoint reachable, and was it used unexpectedly? Because exploitation requires access to POST /v1/onboarding/config in a fresh or not-yet-initialized deployment state, your first review target is HTTP access telemetry from reverse proxies, load balancers, API gateways, and application logs during provisioning windows. Even if the application itself logs sparsely, upstream web infrastructure may still show suspicious POST activity.
You should also review for downstream signs of authentication abuse after any onboarding access. If JWT_SECRET was overwritten, forged tokens may appear valid to the application. That means you may not see obvious “failed login” events. Instead, look for sudden administrative activity, configuration changes, new privileged sessions, or token issuance behavior that does not align with your onboarding timeline. If you lack detailed logs, assume compromise is possible when the vulnerable endpoint was exposed to untrusted networks.
Technical Notes
Concrete log patterns worth searching for include requests to the onboarding endpoint from unexpected IPs:
grep -R 'POST /v1/onboarding/config' /var/log/nginx/ /var/log/apache2/ 2>/dev/null
Example web log pattern:
203.0.113.44 - - [01/Jul/2026:18:11:02 +0000] "POST /v1/onboarding/config HTTP/1.1" 200 512 "-" "curl/8.7.1"
If you ingest reverse proxy logs into Splunk, a basic query could be:
index=web_logs ("POST /v1/onboarding/config" OR uri_path="/v1/onboarding/config")
| stats count min(_time) as first_seen max(_time) as last_seen by src_ip, http_user_agent, status
| convert ctime(first_seen) ctime(last_seen)
A simple Sigma-style idea for detection engineering at the proxy layer:
title: Hoppscotch Onboarding Endpoint Access
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-stem: /v1/onboarding/config
condition: selection
level: high
If you have database or config audit telemetry, search for changes involving JWT_SECRET or SESSION_SECRET around onboarding time. Exact field names and storage schema are not provided in the source material, so do not assume a particular table or log key without validating against your deployment.
Mitigation and patching
The primary fix is to upgrade to Hoppscotch 2026.5.0 or later. The vulnerable range is explicitly 2026.4.1 and earlier, so anything in that range should be considered exposed until updated. If you run self-hosted Hoppscotch through containers or orchestration, update the backend image or package reference to 2026.5.0 and redeploy.
Patching alone may not be enough if the instance was reachable before onboarding completed. Because the vulnerability allows overwriting JWT_SECRET and SESSION_SECRET, you should rotate those values after upgrading if there is any chance the endpoint was exposed. Also invalidate active sessions and tokens where feasible. If you cannot verify prior exposure, the safer assumption is that an unauthenticated attacker could have changed authentication secrets without leaving obvious signs.
Technical Notes
If you deploy via Docker Compose, the exact image tag depends on your environment, but the practical mitigation is to set the Hoppscotch backend image to 2026.5.0 and redeploy:
docker compose pull
docker compose up -d
If your compose file pins a version, update it explicitly to 2026.5.0 before restarting services. For Kubernetes-based deployments, update the image tag in the Deployment manifest and apply it:
kubectl set image deployment/hoppscotch-backend hoppscotch-backend=ghcr.io/hoppscotch/hoppscotch-backend:2026.5.0
kubectl rollout status deployment/hoppscotch-backend
Where immediate upgrade is not possible, restrict access to the onboarding path as a temporary workaround. For example, at the reverse proxy layer, deny external access to the endpoint until the instance is initialized and patched:
location = /v1/onboarding/config {
allow 192.0.2.0/24;
deny all;
}
After patching, rotate secrets and restart services so the new values take effect. The exact secret rotation procedure depends on how your deployment manages environment variables or stored infra config. At minimum, generate new values for JWT_SECRET and SESSION_SECRET, update them in your deployment configuration, restart the backend, and invalidate existing sessions if the platform supports it.
References
| Source | URL |
|---|---|
| NVD record | https://nvd.nist.gov/vuln/detail/CVE-2026-50160 |
| GitHub Security Advisory | https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf |
| Patch / pull request | https://github.com/hoppscotch/hoppscotch/pull/6171 |
| Openwall reference | http://www.openwall.com/lists/oss-security/2026/06/23/7 |
| CISA KEV catalog | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
| Password Manager Glossary | /content/glossary-password-manager/ |
| Cyber Risk Communication | /content/2026-05-23-digest-weekend-briefing-communicating-cyber-risk/ |
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.