← All Advisories

Critical Mass Assignment Vulnerability in Hoppscotch Backend (CVE-2026-50160)

A critical mass assignment vulnerability in Hoppscotch self-hosted deployments allows unauthenticated attackers to overwrite sensitive configuration secrets via the /v1/onboarding/config endpoint.

Hoppscotch, an API development ecosystem, contains a critical vulnerability in self-hosted versions of hoppscotch-backend up to 2026.4.1. The unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment due to improper configuration of the NestJS ValidationPipe. The absence of 'whitelist: true' allows attackers to submit arbitrary properties in the request body, which are processed as legitimate InfraConfig entries. This enables overwriting of critical secrets such as JWT_SECRET and SESSION_SECRET, which are valid InfraConfigEnum values. Attackers can exploit this to compromise authentication mechanisms, escalate privileges, or disrupt service operations. All self-hosted deployments using affected versions are at risk. Immediate remediation is required due to the CVSS 10.0 severity score. Mitigation involves upgrading to a patched version of hoppscotch-backend where the ValidationPipe is properly configured to reject undeclared properties.

Stay Informed

Subscribe to get advisories like this delivered to your inbox.

Subscribe to Alerts