Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

Unauthenticated mass assignment in Hoppscotch onboarding config leading to JWT secret overwrite

IdentifiersCVE-2026-50160CWE-915

CVE-2026-50160 is a critical vulnerability in self-hosted Hoppscotch affecting versions up to and including 2026.4.1. The flaw is exposed through the unauthenticated POST /v1/onboarding/config endpoint used during onboarding. Due to mass assignment, missing request-property whitelisting in NestJS ValidationPipe, unsafe iteration over DTO properties via Object.entries(dto), and a validation logic gap in validateEnvValues, an attacker can submit arbitrary InfraConfig keys that should not be user-controllable. This allows overwrite of sensitive configuration values stored in the database, including JWT_SECRET and SESSION_SECRET. By setting JWT_SECRET to an attacker-known value, the attacker can mint valid JWTs for arbitrary Hoppscotch users, including administrators, resulting in complete compromise of the application trust boundary.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to alter security-critical application configuration and take control of authentication material. In particular, overwriting JWT_SECRET enables forging authentication tokens for any user account, including admin accounts. This permits full impersonation, unauthorized administrative access, and likely complete application compromise. Overwriting SESSION_SECRET may also undermine session integrity. The issue is rated Critical with a CVSS score of 10.0, and the available reporting states it can lead to full server compromise.

Mitigation

If you can’t patch tonight, do this now.

Until patched, restrict or disable exposure of the onboarding endpoint, especially POST /v1/onboarding/config, from untrusted networks. Prevent fresh instances from being reachable by untrusted users before onboarding is completed, and disable any re-onboarding capability if present. Monitor for unauthorized changes to InfraConfig values, especially JWT_SECRET and SESSION_SECRET, and rotate those secrets immediately if compromise is suspected. Any potentially affected JWTs and sessions should be invalidated after secret rotation.

Remediation

Patch, then assume compromise.

Upgrade self-hosted Hoppscotch to version 2026.5.0, which is identified as the fixed release. The vulnerable onboarding logic should ensure strict allowlisting of accepted request properties, enable NestJS ValidationPipe property whitelisting, avoid persisting arbitrary DTO keys, and correctly validate sensitive configuration fields such as JWT_SECRET and SESSION_SECRET. The onboarding endpoint should not permit unauthenticated modification of security-sensitive configuration outside a tightly controlled initialization flow.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

7 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-50160
NVD
nvd.nist.gov/vuln/detail/CVE-2026-50160
MITRE CWE · CWE-915
cwe.mitre.org