Executive Summary

CVE-2026-34847 is a DOM-based open redirect vulnerability found in the Hoppscotch API development ecosystem prior to version 2026.3.0. It occurs on the /enter page where the redirect query parameter is directly used to build a URL and redirect users without proper validation.

Because the redirect parameter is user-controlled and unchecked, an attacker can craft URLs that redirect users to arbitrary external sites, potentially leading to phishing or other malicious activities.

Useful 0 Not Useful 0

Compliance Impact

The DOM-based open redirect vulnerability in Hoppscotch could potentially be exploited for phishing attacks and credential theft by redirecting users to malicious external sites. Such exploitation risks unauthorized access to user credentials and sensitive information.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable phishing and credential theft can lead to violations of data protection and privacy regulations by compromising user data security.

Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require safeguarding user data and preventing unauthorized access, such as GDPR and HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited to redirect users to malicious websites, which can be used for phishing attacks by making deceptive links appear as if they originate from Hoppscotch.

It can also lead to credential theft through look-alike domains and potentially allow OAuth token theft if exploited within OAuth authentication flows.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /enter page of the Hoppscotch application for open redirect behavior via the redirect query parameter.

A simple test is to visit the URL with a crafted redirect parameter that points to an external domain and observe if the application redirects to that domain without validation.

• Example URL to test: http://[hoppscotch-server]/enter?redirect=evil.com&foo=bar

If the browser redirects to https://evil.com?foo=bar, the vulnerability is present.

You can also use command line tools like curl to test the redirect behavior:

• curl -I "http://[hoppscotch-server]/enter?redirect=evil.com&foo=bar"

Check the Location header in the response to see if it redirects to an external site.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Hoppscotch to version 2026.3.0 or later, where this vulnerability has been patched.

The patch includes validation of the redirect parameter to prevent open redirects by enforcing a whitelist of allowed domains or same-origin checks.

Until the upgrade can be applied, consider implementing network-level controls such as blocking suspicious redirect URLs or monitoring for unusual redirect patterns.

Additionally, educate users to be cautious of phishing attempts that exploit this vulnerability.

Useful 0 Not Useful 0