Critical Mass Assignment Vulnerability in Hoppscotch Backend (CVE-2026-50160)
Hoppscotch, an API development ecosystem, contains a critical vulnerability in self-hosted versions of hoppscotch-backend up to 2026.4.1. The unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment due to improper configuration of the NestJS ValidationPipe. The absence of 'whitelist: true' allows attackers to submit arbitrary properties in the request body, which are processed as legitimate InfraConfig entries. This enables overwriting of critical secrets such as JWT_SECRET and SESSION_SECRET, which are valid InfraConfigEnum values. Attackers can exploit this to compromise authentication mechanisms, escalate privileges, or disrupt service operations. All self-hosted deployments using affected versions are at risk. Immediate remediation is required due to the CVSS 10.0 severity score. Mitigation involves upgrading to a patched version of hoppscotch-backend where the ValidationPipe is properly configured to reject undeclared properties.