CVE-2026-50160 in Hoppscotch
Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extra properties on the request body that are not declared in SaveOnboardingConfigRequest are not stripped and are iterated in the service layer as if they were legitimate InfraConfig entries. Because keys such as JWT_SECRET and SESSION_SECRET are valid InfraConfigEnum values and are not explicitly rejected during validation, an unauthenticated attacker who can reach a fresh instance before onboarding completes (or when no users exist) can overwrite these values in the database. Overwriting JWT_SECRET gives the attacker control of the JWT signing key, allowing them to forge tokens for any user, including administrators, and results in full server compromise. The issue is fixed in hoppscotch 2026.5.0.
Quick answer
Hoppscotch Backend should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Self-hosted Hoppscotch Backend 2026.4.1 and earlier
Fixed versions
- Hoppscotch 2026.5.0 or later
How to fix it
CVE-2026-50160 affects Hoppscotch Backend. In simple terms, the affected software may be used in an unsafe way. Update to Hoppscotch 2026.5.0 or later. If you cannot update today, limit who can reach this system until the fix is done.
- Find every place where Hoppscotch Backend is installed or used.
- Check if the version matches: Self-hosted Hoppscotch Backend 2026.4.1 and earlier.
- Update to: Hoppscotch 2026.5.0 or later.
- If you cannot update now, allow only trusted users and trusted networks.
- Check logs for crashes, strange requests, failed logins, or unexpected access.
- Change secrets or passwords if you think data may have been exposed.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the installed version is now: Hoppscotch 2026.5.0 or later.
- Confirm the risky feature is no longer exposed to untrusted users.
- Run the affected workflow again and make sure it still works.
- Review logs again after the update.
- Run a new Fixnx scan if this software is part of a public website.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-50160?
Hoppscotch Backend versions listed as affected should be reviewed: Self-hosted Hoppscotch Backend 2026.4.1 and earlier.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
