hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending single HTTP POST request with no authentication. The endpoint /v1/onboarding/config has authentication guard performs check on whether onboarding was already completed. A successful exploit allows replace instance's Google/GitHub/Microsoft application their own, causing all subsequent user logins via SSO authenticate against attacker's app. captures tokens email addresses every who logs in after exploit. Additionally, returns recovery token that be used read stored secrets plaintext, passwords any other configured credentials. Version 2026.2.0 fixes issue.