Saro-Prince

**Name of the Vulnerable Software and Affected Versions** Hoppscotch versions prior to 2026.2.0 **Description** Hoppscotch, an API development ecosystem, had a critical security issue where an unauthenticated attacker could overwrite the entire infrastructure configuration of a self-hosted instance. This included OAuth provider credentials and SMTP settings, achieved by sending an HTTP POST request to the `/v1/onboarding/config` endpoint, which lacked authentication and completion checks. A successful exploit allowed the attacker to replace OAuth application credentials, capturing OAuth tokens and email addresses of users logging in via SSO. The endpoint also returned a recovery token enabling access to all stored secrets in plaintext, including SMTP passwords and other configured credentials. **Recommendations** Update to version 2026.2.0 or later.