CVE-2026-34932
Stored XSS in Hoppscotch API Leads to CSRF Risk
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoppscotch | hoppscotch | to 2026.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34932 is a high-severity stored Cross-Site Scripting (XSS) vulnerability found in the hoppscotch-backend Docker image versions up to 2026.2.1, patched in version 2026.3.0.
The vulnerability occurs because user-controllable input in mock server responses is not properly neutralized, allowing malicious scripts to be stored and executed in the context of other users.
An attacker can inject a malicious payload via a crafted GraphQL mutation that updates a request with a response containing a script. This script can create a new Personal Access Token (PAT), fetch user identity and environment data, and exfiltrate this sensitive information to an attacker-controlled server.
The exploit requires the victim to visit a malicious mock server URL, where the stored script executes in their browser, leading to theft of authentication tokens and user data.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access and data theft.
- Attackers can execute arbitrary scripts in users' browsers.
- Personal Access Tokens (PATs) can be created and stolen by attackers.
- Sensitive user identity and environment data can be exfiltrated.
- Attackers can perform Cross-Site Request Forgery (CSRF) attacks, leading to unauthorized modification of data.
Overall, this can lead to unauthorized actions performed on behalf of the victim, compromising confidentiality and integrity of user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to identify stored XSS payloads in the hoppscotch-backend mock server responses. A proof-of-concept involves creating a mock server from a new collection with example requests, then intercepting and modifying a request body to inject a malicious script payload.
Detection can be performed by monitoring network traffic for suspicious POST requests to endpoints like `/v1/access-tokens/create` or `/graphql` that contain unusual payloads or by checking if mock server URLs (e.g., `http://<host>:3170/mock/<id>/xss`) are serving scripts that execute unexpected actions.
Tools such as Burp Suite can be used to intercept and modify requests to test for the vulnerability by injecting crafted GraphQL mutations that include script payloads.
Suggested commands or steps include:
- Use Burp Suite or a similar proxy to intercept requests to the hoppscotch-backend mock server.
- Modify the request body to include a script payload in the GraphQL mutation "UpdateRequest".
- Send the modified request and observe if the script executes when accessing the mock server URL.
- Monitor network traffic for POST requests to `/v1/access-tokens/create` or `/graphql` that may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade the hoppscotch-backend package to version 2026.3.0 or later, where the vulnerability has been patched.
Until the upgrade can be applied, consider restricting access to the mock server endpoints to trusted users only, to reduce the risk of exploitation.
Additionally, monitor for suspicious activity such as unexpected creation of Personal Access Tokens or unusual GraphQL queries that could indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary scripts in usersβ browsers, leading to theft of authentication tokens and sensitive user data. This unauthorized access and exfiltration of personal and sensitive information could potentially violate data protection requirements under common standards and regulations such as GDPR and HIPAA, which mandate the protection of personal data and the implementation of adequate security measures to prevent unauthorized access.
Specifically, the high confidentiality impact due to exfiltration of tokens and user data indicates a risk of personal data breach, which may require notification and remediation under these regulations.