Skip to main content

Hoppscotch EUVDEUVD-2026-41107

| CVE-2026-50160 CRITICAL
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-23
10.0
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
10.0 CRITICAL

Network-accessible unauthenticated endpoint (AV:N, PR:N, AC:L, UI:N); JWT secret takeover enables forged tokens for all users, constituting a scope change with full CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 01, 2026 - 19:22 NVD
10.0 (CRITICAL)
Analysis Generated
Jun 23, 2026 - 20:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker control via a single HTTP POST request to the onboarding endpoint, enabling forged authentication tokens for any user including administrators. All self-hosted deployments running version 2026.4.1 and earlier are affected during the initial onboarding window or when re-onboarding is enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for exposed port 3170
Delivery
Confirm onboarding endpoint active
Exploit
POST with injected JWT_SECRET and SESSION_SECRET
Execution
Server writes attacker secrets to database
Persist
Forge JWT token for admin user
Impact
Full application compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Hoppscotch self-hosted instance to be in one of two specific states: (1) a fresh deployment where the onboarding flow has not yet been completed - the `POST /v1/onboarding/config` endpoint is intentionally unauthenticated during this phase - or (2) a deployment where re-onboarding has been explicitly re-enabled by an operator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reporter-asserted CVSS score of 10.0 is independently consistent with the attack profile: network-accessible endpoint (AV:N), trivial single-request exploitation (AC:L), no authentication required (PR:N), no user interaction (UI:N), scope change affecting all platform users (S:C), and full confidentiality, integrity, and availability impact (C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans internet-exposed hosts on port 3170 for Hoppscotch instances where the onboarding endpoint responds. They send a single crafted POST to `/v1/onboarding/config` containing legitimate-looking onboarding fields alongside injected `JWT_SECRET` and `SESSION_SECRET` values; the server writes the attacker-controlled secrets to the database without authentication or validation. …
Remediation Upgrade to Hoppscotch self-hosted version 2026.5.0 immediately, as confirmed by the GitHub Security Advisory GHSA-j542-4rch-8hwf (https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf) and the full researcher writeup at https://www.offgridsec.com/blog-hoppscotch-cve-2026-50160.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy