Mass Assignment Vulnerability in Hoppscotch API Development Ecosystem
CVE-2026-50160
10CRITICAL
What is CVE-2026-50160?
In self-hosted deployments of Hoppscotch, the /v1/onboarding/config endpoint is vulnerable to mass assignment due to improper configuration of the NestJS ValidationPipe. Unauthenticated attackers can exploit this vulnerability by sending requests that include additional properties not validated against the SaveOnboardingConfigRequest. This oversight can allow an attacker to overwrite critical configuration values like JWT_SECRET and SESSION_SECRET in the database, giving them the ability to forge authentication tokens and gain unauthorized access, effectively compromising the server.
Affected Version(s)
hoppscotch <= 2026.4.1
