Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Hoppscotch

Hoppscotch Vendor Cyber Rating & Cyber Score

hoppscotch.io

Open source API development ecosystem. Helps you create, test, save, share API requests faster, saving precious time on development.


Hoppscotch A.I CyberSecurity Scoring

Hoppscotch
Company Information
Website:https://hoppscotch.io
Employees number:9
Number of followers:12,566
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:hoppscotch.io
Hoppscotch Risk Score (AI oriented)
Between 700 and 749
logo
HoppscotchTechnology, Information and Internet
Updated:
29/06/2026
747/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Hoppscotch Global Score (TPRM)
xxxx
logo
HoppscotchTechnology, Information and Internet
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Hoppscotch
HoppscotchModerate
Current Score
747Ba (MODERATE)
01000
1 incidents
-17 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
747Before Incident
JUNE 2026
764Before Incident
Vulnerability
29 Jun 2026Hoppscotch
Hoppscotch: Critical Hoppscotch Vulnerability Lets Attackers Overwrite JWT_SECRET and Forge Admin Tokens

Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full System Takeover

747After Incident
CRITICAL-17
HOP1782735948
Critical Hoppscotch Vulnerability (CVE-2026-50160) Enables Full System Takeover A severe security flaw (CVE-2026-50160) has been discovered in the self-hosted Hoppscotch backend, allowing unauthenticated attackers to overwrite sensitive configuration values including the JWT signing secret and gain full administrative control of affected instances. The vulnerability, detailed in GitHub advisory GHSA-j542-4rch-8hwf, impacts all versions up to 2026.4.1 and has been patched in 2026.5.0. With a CVSS score of 10.0, the flaw is trivial to exploit and poses a catastrophic risk. ### Root Cause & Exploitation The vulnerability stems from a mass assignment flaw in the POST /v1/onboarding/config endpoint, which is accessible without authentication during the initial setup phase (when no users exist). The endpoint, designed to configure onboarding parameters like SMTP and OAuth settings, lacks proper input validation, allowing attackers to inject arbitrary configuration keys. The issue arises from the misuse of NestJS ValidationPipe without the `allowlist` option enabled, permitting unfiltered request data to bypass validation. Sensitive keys like JWT_SECRET and SESSION_SECRET valid internal enum values can be overwritten, as the `validateEnvValues` logic fails to reject unauthorized entries. ### Attack Chain & Impact A successful exploit requires just a single crafted HTTP request. Attackers can: - Overwrite JWT_SECRET, enabling token forgery for any user (including admins). - Bypass JwtAuthGuard protections, granting unrestricted access to sensitive data and API keys. - Hijack sessions by modifying SESSION_SECRET, invalidating legitimate user sessions. - Maintain persistent access even after credential resets. The flaw is particularly dangerous for newly deployed instances exposed to the internet before onboarding is complete, creating a high-risk window for automated or opportunistic attacks. ### Proof-of-Concept Exploitation A basic exploit involves: 1. Checking onboarding status via `GET /v1/onboarding/status`. 2. Sending a malicious POST request to overwrite secrets: ```json { "JWT_SECRET": "ATTACKER_CONTROLLED_VALUE", "SESSION_SECRET": "ATTACKER_CONTROLLED_VALUE" } ``` 3. Verifying compromise by querying the database for stored secrets. ### Mitigation & Remediation The advisory recommends: - Immediate upgrade to Hoppscotch 2026.5.0 or later. - Enabling `whitelist: true` in ValidationPipe to strip unknown fields. - Strict allowlisting of configuration keys and explicit validation for sensitive parameters. - Enforcing authentication or one-time setup tokens for onboarding endpoints. The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), a common but critical flaw in modern API frameworks. Unpatched instances remain critically vulnerable to remote compromise with no user interaction required.
INCIDENT DETAILS -
TYPE
Mass Assignment Vulnerability
IMPACT
Data Compromised: Sensitive configuration values (JWT_SECRET, SESSION_SECRET), API keys, user sessions, administrative accessSystems Affected: Self-hosted Hoppscotch backend instances (versions up to 2026.4.1)Operational Impact: Full administrative control of affected instances, unauthorized access to sensitive data, session hijackingBrand Reputation Impact: High (critical vulnerability with CVSS 10.0)Identity Theft Risk: High (token forgery, session hijacking)
DATA BREACH
Type Of Data Compromised: Configuration secrets (JWT_SECRET, SESSION_SECRET), API keys, user sessionsSensitivity Of Data: High (administrative access, authentication tokens)
MAY 2026
764Before Incident
APRIL 2026
764Before Incident
MARCH 2026
764Before Incident
FEBRUARY 2026
764Before Incident
JANUARY 2026
764Before Incident
DECEMBER 2025
764Before Incident
NOVEMBER 2025
764Before Incident
OCTOBER 2025
764Before Incident
SEPTEMBER 2025
764Before Incident
AUGUST 2025
764Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Hoppscotch ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Hoppscotch's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Hoppscotch's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Hoppscotch ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Hoppscotch's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?