Hoppscotch CVSS 10 Flaw Allows Unauthenticated Server Takeover

A maximum-severity vulnerability in Hoppscotch, the popular open-source API development platform, allows unauthenticated attackers to achieve complete server compromise with a single HTTP request. CVE-2026-50160 carries a CVSS score of 10.0—the highest possible—and affects all self-hosted Hoppscotch deployments running versions prior to 2026.5.0.

The flaw is a textbook mass assignment vulnerability, but its impact is anything but ordinary. An attacker can overwrite the JWT signing key without authentication, forge administrative tokens, and maintain persistent access that survives password resets.

How the Attack Works

The vulnerability exists in the /v1/onboarding/config endpoint, which handles initial Hoppscotch configuration. The endpoint accepts POST requests with configuration parameters, but due to improper input validation, it also accepts parameters it shouldn't—including JWT_SECRET and SESSION_SECRET.

According to Offgrid Security's analysis, the attack chain is straightforward:

1. Attacker sends a crafted POST request to /v1/onboarding/config
2. The request includes arbitrary JWT_SECRET and SESSION_SECRET values
3. NestJS ValidationPipe doesn't strip extra properties from the request
4. Object.entries(dto) iterates all keys without restriction
5. Malicious keys get written to the database as InfraConfig entries

With the JWT signing key under attacker control, forging valid administrative tokens becomes trivial. The attacker gains full access to the Hoppscotch instance and all connected API credentials, environment variables, and team data.

Discovery by AI Agent

What makes this disclosure notable isn't just the severity—it's who found it. Offgrid Security's autonomous AI security agent, Kiro, discovered CVE-2026-50160 during automated testing. This adds to a growing pattern of AI systems uncovering critical vulnerabilities that human reviewers missed.

We've covered similar AI-driven security discoveries in the Amazon Q Developer MCP vulnerability, where automated analysis revealed credential theft risks in AI coding assistants. The Hoppscotch case demonstrates these techniques scaling to mainstream developer tooling.

Affected Deployments

The vulnerability affects self-hosted Hoppscotch instances only. The hosted SaaS version at hoppscotch.io is not vulnerable, as it doesn't expose the onboarding configuration endpoint in the same way.

Organizations running self-hosted Hoppscotch should assume compromise if running vulnerable versions, particularly if the instance was internet-accessible. The attack leaves minimal forensic traces—checking for unauthorized JWT_SECRET changes in the database is the most direct indicator.

Mitigation Steps

1. Update immediately to hoppscotch-backend version 2026.5.0 or later
2. Rotate all secrets including JWT_SECRET, SESSION_SECRET, and any API keys stored in the platform
3. Audit access logs for suspicious POST requests to /v1/onboarding/config
4. Review connected services for unauthorized access using Hoppscotch-stored credentials
5. Consider network isolation if immediate patching isn't possible

The fix addresses the root cause by properly validating incoming DTO properties and stripping unexpected keys before processing.

Why This Matters

Hoppscotch occupies a sensitive position in many development workflows. API development platforms store credentials, environment variables, and authentication tokens for the services they test. A compromise here doesn't just affect Hoppscotch—it potentially exposes every API and service connected to the platform.

Mass assignment vulnerabilities aren't new, but they remain dangerously common in Node.js and NestJS applications. The pattern of trusting incoming request bodies without explicit allowlisting creates exactly this type of risk. Developers using similar frameworks should audit their own endpoints for the same weakness.

For organizations evaluating their exposure to similar vulnerabilities in developer tooling, the pattern echoes what we saw with Microsoft Copilot data exfiltration risks earlier this month—developer productivity tools often have privileged access that makes them attractive targets.

Frequently Asked Questions

Is the hosted Hoppscotch.io service affected? No. The vulnerability only affects self-hosted deployments where the onboarding endpoint is exposed.

How can I tell if my instance was compromised? Check your database for unexpected changes to JWT_SECRET or SESSION_SECRET values. Also review access logs for POST requests to /v1/onboarding/config from unexpected sources.

What should I rotate after patching? All secrets stored in Hoppscotch: JWT_SECRET, SESSION_SECRET, database credentials, and any API keys or tokens stored in collections or environments.

Organizations running self-hosted API development infrastructure should treat this as a wake-up call. Developer tools often receive less security scrutiny than production systems, but they frequently hold the keys to those production systems.