CVE-2026-50160
Received Received - Intake

Mass Assignment in Hoppscotch Backend

Vulnerability report for CVE-2026-50160, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extra properties on the request body that are not declared in SaveOnboardingConfigRequest are not stripped and are iterated in the service layer as if they were legitimate InfraConfig entries. Because keys such as JWT_SECRET and SESSION_SECRET are valid InfraConfigEnum values and are not explicitly rejected during validation, an unauthenticated attacker who can reach a fresh instance before onboarding completes (or when no users exist) can overwrite these values in the database. Overwriting JWT_SECRET gives the attacker control of the JWT signing key, allowing them to forge tokens for any user, including administrators, and results in full server compromise. The issue is fixed in hoppscotch 2026.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hoppscotch hoppscotch to 2026.5.0 (exc)
hoppscotch hoppscotch 2026.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-50160 allows unauthenticated attackers to overwrite critical security configuration keys such as JWT_SECRET and SESSION_SECRET, leading to full server compromise and the ability to forge authentication tokens for any user, including administrators.

Such a compromise can result in unauthorized access to sensitive personal data and administrative controls, which may violate data protection requirements under regulations like GDPR and HIPAA.

Organizations using vulnerable versions of Hoppscotch could face non-compliance risks due to potential data breaches and failure to protect sensitive information as mandated by these standards.

Immediate upgrading to the fixed version (2026.5.0) and applying the recommended security measures is essential to mitigate these compliance risks.

Executive Summary

CVE-2026-50160 is a critical vulnerability in the Hoppscotch API development platform affecting self-hosted deployments of hoppscotch-backend version 2026.4.1 and earlier. The vulnerability exists in the unauthenticated POST /v1/onboarding/config endpoint, which is vulnerable to mass assignment due to missing validation settings in the NestJS ValidationPipe.

Because the ValidationPipe is not configured with whitelist: true, extra properties in the request body that are not declared in the expected data structure are not stripped out. This allows attackers to submit arbitrary configuration keys such as JWT_SECRET and SESSION_SECRET, which are normally sensitive and not meant to be set by users.

An unauthenticated attacker who can access a fresh instance before onboarding completes (or when no users exist) can overwrite these secret values in the database. Overwriting JWT_SECRET enables the attacker to forge JWT tokens for any user, including administrators, leading to full server compromise.

Impact Analysis

This vulnerability can have severe impacts including full server compromise. By exploiting the mass assignment flaw, an attacker can overwrite critical security configuration values such as JWT_SECRET and SESSION_SECRET.

With control over JWT_SECRET, the attacker can forge authentication tokens for any user, including administrators, effectively gaining unauthorized administrative access to the system.

This unauthorized access can lead to data exfiltration, manipulation of application behavior, and complete loss of control over the server hosting the Hoppscotch backend.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the /v1/onboarding/config endpoint on fresh or uninitialized Hoppscotch backend instances.

A practical detection method is to inspect HTTP logs or use network monitoring tools to identify suspicious POST requests containing unexpected or sensitive keys such as JWT_SECRET or SESSION_SECRET in the request body.

Example commands to detect such activity include:

  • Using grep on server logs to find POST requests to the vulnerable endpoint: grep 'POST /v1/onboarding/config' /var/log/hoppscotch/access.log
  • Using tcpdump or tshark to capture HTTP POST requests to the endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/v1/onboarding/config'
  • Using curl or HTTP client tools to test if the endpoint accepts unauthorized configuration changes by sending crafted POST requests with sensitive keys.
Mitigation Strategies

The primary immediate mitigation step is to upgrade Hoppscotch to version 2026.5.0 or later, where the vulnerability is fixed.

Additional mitigation steps include:

  • Apply the fix that enables the global NestJS ValidationPipe with whitelist: true and forbidNonWhitelisted: true to reject unknown request fields.
  • Implement endpoint-specific validation to explicitly reject unknown or sensitive keys in the onboarding configuration requests.
  • Add service-level allowlist filtering to only permit safe configuration keys and explicitly reject sensitive keys such as JWT_SECRET and SESSION_SECRET.
  • Restrict access to the onboarding endpoint by adding authentication or disabling re-onboarding on production systems.
  • Review and apply any additional security patches or configuration changes recommended in the official advisory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart