CVE-2026-34847
DOM-Based Open Redirect in Hoppscotch /enter Page
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34847 is a DOM-based open redirect vulnerability found in the Hoppscotch API development ecosystem prior to version 2026.3.0. It occurs on the /enter page where the redirect query parameter is directly used to build a URL and redirect users without proper validation.
Because the redirect parameter is user-controlled and unchecked, an attacker can craft URLs that redirect users to arbitrary external sites, potentially leading to phishing or other malicious activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The DOM-based open redirect vulnerability in Hoppscotch could potentially be exploited for phishing attacks and credential theft by redirecting users to malicious external sites. Such exploitation risks unauthorized access to user credentials and sensitive information.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable phishing and credential theft can lead to violations of data protection and privacy regulations by compromising user data security.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require safeguarding user data and preventing unauthorized access, such as GDPR and HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited to redirect users to malicious websites, which can be used for phishing attacks by making deceptive links appear as if they originate from Hoppscotch.
It can also lead to credential theft through look-alike domains and potentially allow OAuth token theft if exploited within OAuth authentication flows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /enter page of the Hoppscotch application for open redirect behavior via the redirect query parameter.
A simple test is to visit the URL with a crafted redirect parameter that points to an external domain and observe if the application redirects to that domain without validation.
- Example URL to test: http://[hoppscotch-server]/enter?redirect=evil.com&foo=bar
If the browser redirects to https://evil.com?foo=bar, the vulnerability is present.
You can also use command line tools like curl to test the redirect behavior:
- curl -I "http://[hoppscotch-server]/enter?redirect=evil.com&foo=bar"
Check the Location header in the response to see if it redirects to an external site.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Hoppscotch to version 2026.3.0 or later, where this vulnerability has been patched.
The patch includes validation of the redirect parameter to prevent open redirects by enforcing a whitelist of allowed domains or same-origin checks.
Until the upgrade can be applied, consider implementing network-level controls such as blocking suspicious redirect URLs or monitoring for unusual redirect patterns.
Additionally, educate users to be cautious of phishing attempts that exploit this vulnerability.