External risk intelligence

Hoppscotch Self-Hosted Mass Assignment Vulnerability Allows JWT Secret Overwrite

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-50160

Hoppscotch is an API development platform designed for network interaction. Self-hosted instances of such developer tools, particularly those involved in API management and onboarding, are commonly deployed as web-accessible services or internal portals reachable by development teams across network segments.

Hoppscotch

before 2026.5.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in self-hosted Hoppscotch API development environments that could allow an unauthenticated attacker to gain full server control by overwriting critical security secrets. This issue impacts deployments before version 2026.5.0.

  • Unauthenticated attackers can take over servers.
  • Affects API development tools, common in tech organizations.
  • Confirm relevance and exposure for security controls.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a POST request to a newly deployed Hoppscotch instance before it is fully configured. This request targets the onboarding configuration endpoint and can overwrite critical security settings, such as JWT and session secrets, by providing unexpected data in the request body. Successfully manipulating these secrets allows an attacker to forge authentication tokens for any user, including administrators, leading to complete server compromise.

  • Unauthenticated network access required.
  • Triggered by sending extra properties in request body.
  • Full server compromise via forged tokens.

Live Threat

Current exploitation, exposure, and threat context

In self-hosted Hoppscotch deployments, an unauthenticated attacker could overwrite critical configuration secrets, such as JWT and session secrets. This is possible when the instance is new or has no users, allowing them to modify these values before they are properly validated. Overwriting the JWT secret would allow an attacker to forge authentication tokens for any user, including administrators, leading to full server compromise.

  • Sensitive configuration secrets.
  • Unauthenticated POST request to vulnerable endpoint.
  • Full server compromise via forged tokens.

Operational Fix

Recommended remediation, mitigation, and detection steps

In self-hosted Hoppscotch deployments, platform or infrastructure teams are likely responsible for managing the backend services. The first practical step is to identify all instances of the affected technology, confirm network reachability and business criticality, and then locate the accountable owner to plan remediation.

  • Platform/Infrastructure teams should own the issue.
  • Verify network reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Hoppscotch and how is it used?

Hoppscotch is an open-source API development ecosystem. Teams use it to design, test, and document their APIs, often running self-hosted instances on their own infrastructure to manage services and development workflows securely.

What does CVE-2026-50160 mean for my Hoppscotch instance?

This CVE involves a vulnerability known as Mass Assignment (CWE-915). Because the software fails to properly filter incoming data, an attacker can send extra, unauthorized information in a network request to overwrite sensitive system configuration values, such as the keys used to sign authentication tokens.

How is this vulnerability triggered?

An attacker triggers this by sending a specially crafted POST request to the onboarding endpoint of a fresh or uninitialized instance. It does not occur on instances that have already completed the setup process or already have existing user accounts, as those states bypass the vulnerable endpoint logic.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal identifies Hoppscotch as an API development platform inherently designed for network interaction. Because self-hosted instances are frequently deployed as web-accessible services or internal portals reachable by teams, they are likely exposed if they are reachable over a network.

What are the first steps to address this issue?

Identify all self-hosted Hoppscotch instances within your environment and determine who owns them. Prioritize these for an upgrade to version 2026.5.0 or later, which contains the fix to prevent unauthorized configuration changes.

References