A critical vulnerability in the Hoppscotch API, identified as CVE-2026-50160, poses a significant security risk to self-hosted API deployments. It enables attackers to execute a mass assignment attack, allowing them to overwrite crucial security parameters, such as session secrets and JWT signing keys. This flaw can lead to complete server compromise, as attackers can forge admin tokens for unauthorized access.
Organizations deploying Hoppscotch versions 2026.4.1 and older are particularly at risk, especially during the initial setup phase when no users are yet added. Security researchers recommend upgrading to Hoppscotch version 2026.5.0, where strict validation rules have been enforced to mitigate this issue. Promptly completing onboarding setup is essential to disable the vulnerable endpoint.