10 matches found
CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite
Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...
CVE-2026-44478
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...
CVE-2026-44478
CVE-2026-44478 concerns Hoppscotch, an open source API development ecosystem. The vulnerability chain involves an unauthenticated POST to /v1/onboarding/config that, prior to 2026.2.0, allowed overwriting the infrastructure configuration without verifying onboarding completion, potentially compro...
CVE-2026-44478
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...
Hoppscotch 访问控制错误漏洞
Hoppscotch is an open-source API development ecosystem created by Hoppscotch. Versions of Hoppscotch from 2026.2.0 to 2026.4.0 contained a access control vulnerability. This vulnerability stemmed from the GET /v1/onboarding/config endpoint, which still exposed all infrastructure secrets in plain...
PT-2026-40829
Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.4.0 Description An information disclosure issue exists where the 'GET /v1/onboarding/config' endpoint leaks infrastructure secrets in plaintext to unauthenticated users. This occurs specifically when the...
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...
CVE-2026-28215
CVE-2026-28215 affects Hoppscotch (self-hosted) prior to 2026.2.0. The unauthenticated endpoint POST /v1/onboarding/config has no guards and can overwrite the infrastructure configuration, including OAuth provider credentials and SMTP settings, by a single HTTP POST. Successful exploitation allow...
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...
PT-2026-22210
Name of the Vulnerable Software and Affected Versions Hoppscotch versions prior to 2026.2.0 Description Hoppscotch, an API development ecosystem, had a critical security issue where an unauthenticated attacker could overwrite the entire infrastructure configuration of a self-hosted instance. This...