Hoppscotch A.I CyberSecurity Scoring
Hoppscotch
Company Information
Website:https://hoppscotch.io
Employees number:9
Number of followers:12,566
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:hoppscotch.io
Hoppscotch Risk Score (AI oriented)
Between 700 and 749
HoppscotchTechnology, Information and Internet
Updated:
29/06/2026
29/06/2026
747/1000
Moderate
Ba
Hoppscotch Global Score (TPRM)
xxxx
HoppscotchTechnology, Information and Internet
Score locked

HoppscotchModerate
Current Score
747Ba (MODERATE)
01000
1 incidents
-17 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
747
JUNE 2026
764
Vulnerability
29 Jun 2026 • Hoppscotch
Hoppscotch: Critical Hoppscotch Vulnerability Lets Attackers Overwrite JWT_SECRET and Forge Admin Tokens
Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full System Takeover
747
CRITICAL-17
HOP1782735948
Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full System Takeover
A severe security flaw (CVE-2026-50160) has been discovered in the self-hosted Hoppscotch backend, allowing unauthenticated attackers to overwrite sensitive configuration values including the JWT signing secret and gain full administrative control of affected instances. The vulnerability, detailed in GitHub advisory GHSA-j542-4rch-8hwf, impacts all versions up to 2026.4.1 and has been patched in 2026.5.0. With a CVSS score of 10.0, the flaw is trivial to exploit and poses a catastrophic risk.
### Root Cause & Exploitation
The vulnerability stems from a mass assignment flaw in the POST /v1/onboarding/config endpoint, which is accessible without authentication during the initial setup phase (when no users exist). The endpoint, designed to configure onboarding parameters like SMTP and OAuth settings, lacks proper input validation, allowing attackers to inject arbitrary configuration keys.
The issue arises from the misuse of NestJS ValidationPipe without the `allowlist` option enabled, permitting unfiltered request data to bypass validation. Sensitive keys like JWT_SECRET and SESSION_SECRET valid internal enum values can be overwritten, as the `validateEnvValues` logic fails to reject unauthorized entries.
### Attack Chain & Impact
A successful exploit requires just a single crafted HTTP request. Attackers can:
- Overwrite JWT_SECRET, enabling token forgery for any user (including admins).
- Bypass JwtAuthGuard protections, granting unrestricted access to sensitive data and API keys.
- Hijack sessions by modifying SESSION_SECRET, invalidating legitimate user sessions.
- Maintain persistent access even after credential resets.
The flaw is particularly dangerous for newly deployed instances exposed to the internet before onboarding is complete, creating a high-risk window for automated or opportunistic attacks.
### Proof-of-Concept Exploitation
A basic exploit involves:
1. Checking onboarding status via `GET /v1/onboarding/status`.
2. Sending a malicious POST request to overwrite secrets:
```json
{
"JWT_SECRET": "ATTACKER_CONTROLLED_VALUE",
"SESSION_SECRET": "ATTACKER_CONTROLLED_VALUE"
}
```
3. Verifying compromise by querying the database for stored secrets.
### Mitigation & Remediation
The advisory recommends:
- Immediate upgrade to Hoppscotch 2026.5.0 or later.
- Enabling `whitelist: true` in ValidationPipe to strip unknown fields.
- Strict allowlisting of configuration keys and explicit validation for sensitive parameters.
- Enforcing authentication or one-time setup tokens for onboarding endpoints.
The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), a common but critical flaw in modern API frameworks. Unpatched instances remain critically vulnerable to remote compromise with no user interaction required.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MAY 2026
764
APRIL 2026
764
MARCH 2026
764
FEBRUARY 2026
764
JANUARY 2026
764
DECEMBER 2025
764
NOVEMBER 2025
764
OCTOBER 2025
764
SEPTEMBER 2025
764
AUGUST 2025
764
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Hoppscotch ??
What was Hoppscotch's A.I Rankiteo Cyber Score in June 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in May 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in April 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in March 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in February 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in January 2026 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in December 2025 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in November 2025 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in October 2025 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in September 2025 ??
What was Hoppscotch's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Hoppscotch's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Hoppscotch ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Hoppscotch's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?