Hoppscotch Unauthenticated Onboarding Config Overwrite Vulnerability

A vulnerability in Hoppscotch prior to version 2026.2.0 allows an unauthenticated attacker to overwrite the entire infrastructure configuration of a self-hosted instance. This includes sensitive data such as OAuth provider credentials and SMTP settings. The vulnerability exists because the POST /v1/onboarding/config endpoint lacks authentication and does not verify if the onboarding process has already been completed. Exploiting this flaw enables attackers to replace OAuth application credentials for Google, GitHub, or Microsoft with their own, capturing OAuth tokens and email addresses from users logging in via Single Sign-On (SSO) afterwards. Additionally, the endpoint responds with a recovery token that can be used to access all stored secrets in plaintext, including SMTP passwords and other credentials.

Impact

Exploitation of this vulnerability allows for the hijacking of SSO credentials, interception of SMTP communications, and unauthorized access to sensitive configuration secrets. This could lead to persistent unauthorized access on the affected Hoppscotch instance.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /v1/onboarding/config endpoint without authentication. This request can include malicious OAuth credentials, which will overwrite the existing ones. After the credentials are replaced, the recovery token provided in the response can be used to access all stored secrets, including SMTP passwords and OAuth client secrets, in plaintext.

Remediation

Users are advised to update to Hoppscotch version 2026.2.0 or later, and to run the latest database migrations after upgrading.