Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Network-accessible unauthenticated endpoint (AV:N, PR:N, AC:L, UI:N); JWT secret takeover enables forged tokens for all users, constituting a scope change with full CIA impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker control via a single HTTP POST request to the onboarding endpoint, enabling forged authentication tokens for any user including administrators. All self-hosted deployments running version 2026.4.1 and earlier are affected during the initial onboarding window or when re-onboarding is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Hoppscotch self-hosted instance to be in one of two specific states: (1) a fresh deployment where the onboarding flow has not yet been completed - the `POST /v1/onboarding/config` endpoint is intentionally unauthenticated during this phase - or (2) a deployment where re-onboarding has been explicitly re-enabled by an operator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reporter-asserted CVSS score of 10.0 is independently consistent with the attack profile: network-accessible endpoint (AV:N), trivial single-request exploitation (AC:L), no authentication required (PR:N), no user interaction (UI:N), scope change affecting all platform users (S:C), and full confidentiality, integrity, and availability impact (C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans internet-exposed hosts on port 3170 for Hoppscotch instances where the onboarding endpoint responds. They send a single crafted POST to `/v1/onboarding/config` containing legitimate-looking onboarding fields alongside injected `JWT_SECRET` and `SESSION_SECRET` values; the server writes the attacker-controlled secrets to the database without authentication or validation. … |
| Remediation | Upgrade to Hoppscotch self-hosted version 2026.5.0 immediately, as confirmed by the GitHub Security Advisory GHSA-j542-4rch-8hwf (https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf) and the full researcher writeup at https://www.offgridsec.com/blog-hoppscotch-cve-2026-50160.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hoppscotch
View allUnauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit
Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs th
hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]
Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary
Stored cross-site scripting (XSS) in Hoppscotch prior to version 2026.3.0 allows authenticated users to inject malicious
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke e
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41107