{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.659Z", "datePublished": "2026-04-02T19:21:35.136Z", "dateUpdated": "2026-04-03T14:43:50.172Z"}, "containers": {"cna": {"title": "hoppscotch: Improper loopback redirect_uri validation in device-login flow", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:21:35.136Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0."}], "source": {"advisory": "GHSA-7fg7-wx5q-6m3v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T14:43:41.199050Z", "id": "CVE-2026-34931", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:43:50.172Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34931", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T14:43:41.199050Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:43:46.761Z"}}], "cna": {"title": "hoppscotch: Improper loopback redirect_uri validation in device-login flow", "source": {"advisory": "GHSA-7fg7-wx5q-6m3v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "< 2026.3.0"}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:21:35.136Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34931", "state": "PUBLISHED", "dateUpdated": "2026-04-03T14:43:50.172Z", "dateReserved": "2026-03-31T17:27:08.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:21:35.136Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0."}], "id": "CVE-2026-34931", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:28.830", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hoppscotch", "source": "cna", "vendor": "hoppscotch"}, "product": "hoppscotch", "vendor": "hoppscotch"}], "analysis": {"en": {"generated_at": "2026-04-02T22:18:40.854348+00:00", "value": {"mitigation_remediation": ["Upgrade Hoppscotch to version 2026.3.0 or later.", "If an immediate upgrade is not possible, disable the device-login flow until a patched version is available.", "Configure your environment to block redirect URIs that do not belong to approved domains.", "Monitor authentication logs for unexpected redirect_uri usage to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via stolen authentication tokens"}, "threat_synthesis": {"affected_systems": "The affected product is the Hoppscotch API development ecosystem, specifically all releases before version 2026.3.0. Anyone using the device-login flow in these outdated releases is susceptible to this issue.", "description_and_impact": "This vulnerability arises from improper validation of loopback redirect_uri parameters during the device-login flow in Hoppscotch, an open source API development platform. Because the redirect_uri is not checked against allowed values, an attacker can supply a malicious URL and receive the authentication token intended for the legitimate user. Possession of this token allows the attacker to sign in as the victim, effectively taking over their account. The weakness is classified as an open redirect leading to token theft and subsequent unauthorized access.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.5, indicating high severity. Although no EPSS score is available and the issue is not listed in the CISA KEV catalog, the attack can be carried out remotely by exploiting the unchecked redirect_uri. An attacker only needs to construct a malicious redirect URL and have a user run the device-login flow to capture the token. This straightforward exploitation path, combined with the high potential impact of account takeover, makes the risk significant."}}}}, "created": "2026-04-03T07:31:22.468071+00:00", "updated": "2026-04-03T09:16:17.981652+00:00", "vendors": ["hoppscotch", "hoppscotch$PRODUCT$hoppscotch"]}