Hoppscotch: Admin RCE via MAILER_SMTP_URL nodemailer sendmail-transport injection

An insufficiently validated MAILER_SMTP_URL activates nodemailer's SendmailTransport in Hoppscotch and passes attacker-controlled arguments to child_process.spawn, allowing arbitrary command execution as root inside the container.

Advisory ID: TP-2026-031
Product: Hoppscotch (open-source API development platform, self-hosted)
Vulnerability type: OS command injection via options merge to root RCE (CWE-78)
CVE: CVE-2026-59721
CVSS 3.1: 7.2 (High) · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected versions: <= 2026.5.0 (self-hosted hoppscotch-backend Docker image)
Fixed in: 2026.6.0
Vendor advisory: GHSA-v7q6-r45w-2c6r
Reported: 22 May 2026

Summary

Hoppscotch is a widely used open-source API development platform. The GraphQL mutation updateInfraConfigs accepts an attacker-controlled MAILER_SMTP_URL value without proper validation. When nodemailer parses this URL, its query parameters are merged into the transport options, so sendmail=true activates the SendmailTransport. That transport passes attacker-controlled path and args values straight to child_process.spawn(), executing arbitrary commands as root inside the container. turingpoint verified the full chain and reported it; the vendor fixed it in 2026.6.0.

Root cause

The validateSMTPUrl validator uses the hostname class [^:]+, which permits query-string characters in the hostname field. MAILER_SMTP_URL is also absent from the EXCLUDE_FROM_UPDATE_CONFIGS blocklist, so it is writable through the admin mutation. nodemailer's parseConnectionUrl then merges all query parameters into the options object (CWE-915), and SendmailTransport passes those options unsanitized to child_process.spawn(). A sendmail=true&path=%2Fbin%2Fsh&args=-c&args=<command> in the URL therefore becomes a root process invocation.

Proof of Concept

# 1. Admin sends a GraphQL mutation with a malicious MAILER_SMTP_URL:

    mutation {
      updateInfraConfigs(infraConfigs: [{
        name: MAILER_SMTP_URL,
        value: "smtp://x?sendmail=true&path=%2Fbin%2Fsh&args=-c&args=<command>"
      }]) { name }
    }

# 2. The container restarts via stopApp() and reinitializes the mailer
#    with the injected URL.

# 3. Trigger an outbound email via anonymous signin:

    POST /v1/auth/signin?origin=app
    {"email":"[email protected]","origin":"app"}

# 4. The sendmail child process executes the attacker's command as uid=0(root).

Impact

  • Arbitrary command execution as root inside the container.
  • Access to DATABASE_URL (PostgreSQL superuser credentials).
  • Access to DATA_ENCRYPTION_KEY, enabling decryption of stored secrets.
  • Access to all stored environment variables across users and teams.
  • Lateral access to sidecar containers on the Docker network.
  • Requires only an admin account plus anonymous signin capability.

References

Is Something Like This in Your Software?

Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.