Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0.
Published: 2026-04-02
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Account takeover via stolen authentication tokens
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from improper validation of loopback redirect_uri parameters during the device-login flow in Hoppscotch, an open source API development platform. Because the redirect_uri is not checked against allowed values, an attacker can supply a malicious URL and receive the authentication token intended for the legitimate user. Possession of this token allows the attacker to sign in as the victim, effectively taking over their account. The weakness is classified as an open redirect leading to token theft and subsequent unauthorized access.

Affected Systems

The affected product is the Hoppscotch API development ecosystem, specifically all releases before version 2026.3.0. Anyone using the device-login flow in these outdated releases is susceptible to this issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5, indicating high severity. Although no EPSS score is available and the issue is not listed in the CISA KEV catalog, the attack can be carried out remotely by exploiting the unchecked redirect_uri. An attacker only needs to construct a malicious redirect URL and have a user run the device-login flow to capture the token. This straightforward exploitation path, combined with the high potential impact of account takeover, makes the risk significant.

Generated by OpenCVE AI on April 2, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hoppscotch to version 2026.3.0 or later.
  • If an immediate upgrade is not possible, disable the device-login flow until a patched version is available.
  • Configure your environment to block redirect URIs that do not belong to approved domains.
  • Monitor authentication logs for unexpected redirect_uri usage to detect potential exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0.
Title hoppscotch: Improper loopback redirect_uri validation in device-login flow
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T19:21:35.136Z

Reserved: 2026-03-31T17:27:08.659Z

Link: CVE-2026-34931

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T20:16:28.830

Modified: 2026-04-02T20:16:28.830

Link: CVE-2026-34931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:17Z

Weaknesses