Mass Assignment Vulnerability in Hoppscotch API Development Ecosystem
CVE-2026-50160

10CRITICAL

Key Information:

Vendor

Hoppscotch

Vendor
CVE Published:
1 July 2026

What is CVE-2026-50160?

In self-hosted deployments of Hoppscotch, the /v1/onboarding/config endpoint is vulnerable to mass assignment due to improper configuration of the NestJS ValidationPipe. Unauthenticated attackers can exploit this vulnerability by sending requests that include additional properties not validated against the SaveOnboardingConfigRequest. This oversight can allow an attacker to overwrite critical configuration values like JWT_SECRET and SESSION_SECRET in the database, giving them the ability to forge authentication tokens and gain unauthorized access, effectively compromising the server.

Affected Version(s)

hoppscotch <= 2026.4.1

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.