CVE-2026-34931
Open Redirect in Hoppscotch Enables Token Theft and Account Takeover
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34931 is a high-severity open redirect vulnerability in the Hoppscotch API development ecosystem, specifically in the device-login flow before version 2026.3.0.
The issue arises because the application does not properly validate the loopback `redirect_uri` parameter, allowing attackers to craft malicious URLs that redirect users to attacker-controlled domains.
When a victim clicks on such a malicious URL and proceeds, their access and refresh tokens are sent to the attacker, enabling the attacker to take over the victim's account.
Exploitation requires active user interaction but no special privileges or conditions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Hoppscotch to version 2026.3.0 or later, where the open redirect vulnerability has been patched.
Until the upgrade can be applied, restrict access to the device-login endpoint and monitor for suspicious redirect_uri parameters to reduce the risk of exploitation.
Educate users to avoid clicking on suspicious or unexpected device-login URLs, as exploitation requires active user interaction.
How can this vulnerability impact me? :
This vulnerability can lead to token exfiltration, where an attacker obtains the victim's access and refresh tokens.
With these tokens, the attacker can sign in as the victim and take over their account, compromising the confidentiality and integrity of the victim's data and account.
The attack requires the victim to interact with a maliciously crafted URL but does not require the attacker to have any privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Hoppscotch allows attackers to exfiltrate tokens through an open redirect, enabling account takeover. This leads to a high impact on confidentiality and integrity of user data.
Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent unauthorized disclosure and ensure data integrity.
Therefore, exploitation of this vulnerability could lead to violations of these standards due to compromised user tokens and unauthorized account access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious device-login URLs containing manipulated redirect_uri parameters that point to external, attacker-controlled domains.
One approach is to analyze web server logs or network traffic for requests to the device-login endpoint with unusual or unexpected redirect_uri values.
For example, you can use command-line tools like grep or tcpdump to filter such requests.
- grep -i 'redirect_uri=' /path/to/hoppscotch/access.log
- tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'redirect_uri='
Additionally, setting up a listener (e.g., a simple Python HTTP server) to detect token exfiltration attempts as demonstrated in the advisory's proof-of-concept can help identify exploitation attempts.