Hoppscotch patches unauthenticated config takeover on self-hosted instances

TL;DR — Self-hosted Hoppscotch instances expose an unauthenticated endpoint that lets anyone overwrite infrastructure config — including OAuth credentials and secrets — with a single POST request.

What happened

Hoppscotch is an open-source API development and testing tool, commonly self-hosted as an alternative to Postman. A critical vulnerability in self-hosted Hoppscotch allows an unauthenticated attacker to overwrite the entire infrastructure configuration by sending a single HTTP POST to /v1/onboarding/config — no auth required, no check whether onboarding was already completed.

The impact includes replacing OAuth application credentials (capturing tokens and email addresses for subsequent logins) and obtaining a recovery token that can read stored secrets in plaintext.

This is a textbook broken access control issue on a setup/admin endpoint — the same class of bug that hit Metabase, Grafana, and other self-hosted tools in recent years.

Who is impacted

• Self-hosted Hoppscotch deployments running versions prior to 2026.2.0.
• Internet-accessible instances are at highest risk. CVSS 3.1 base score: 9.1 (Critical).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Treat the instance as potentially compromised if it was Internet-accessible: rotate OAuth app secrets (Google/GitHub/Microsoft), SMTP credentials, and any other secrets stored in configuration.
• Review onboarding/configuration state and audit for unexpected SSO or email/SMTP changes.