CVE-2026-34847 Overview
CVE-2026-34847 is a DOM-based open redirect vulnerability in Hoppscotch, an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability where the redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This weakness (CWE-601: URL Redirection to Untrusted Site) can be exploited to redirect users to malicious websites, facilitating phishing attacks and credential theft.
Critical Impact
Attackers can craft malicious URLs that appear to originate from a trusted Hoppscotch instance, redirecting unsuspecting users to attacker-controlled phishing sites or malware distribution pages.
Affected Products
- Hoppscotch versions prior to 2026.3.0
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34847 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34847
Vulnerability Analysis
This DOM-based open redirect vulnerability exists in the Hoppscotch application's /enter page, which handles user authentication and entry flows. The vulnerability stems from insufficient validation of the redirect query parameter, which is used to determine where users should be sent after completing an action. Because this parameter is directly incorporated into the redirect logic without proper sanitization, attackers can manipulate it to redirect users to arbitrary external domains.
DOM-based open redirects are particularly insidious because the malicious payload often exists only in the browser's document object model, making server-side detection more challenging. The network-accessible nature of this vulnerability means attackers can distribute malicious links through various channels including email, social media, or embedded in other web pages.
Root Cause
The root cause of this vulnerability is improper input validation of the redirect query parameter on the /enter page. The application fails to validate that the redirect destination is a trusted, internal URL before performing the redirection. This allows an attacker to supply an arbitrary external URL, which the application will blindly redirect the user to.
Proper validation should include allowlisting of permitted redirect destinations or ensuring that redirect URLs belong to the same origin as the application.
Attack Vector
The attack vector for this vulnerability is network-based and requires user interaction. An attacker crafts a malicious URL containing the Hoppscotch /enter endpoint with a manipulated redirect parameter pointing to an attacker-controlled domain. When a victim clicks this link, they are initially taken to the legitimate Hoppscotch instance, which then automatically redirects them to the malicious site.
This technique is commonly used in phishing campaigns because the initial URL appears to belong to a trusted domain, increasing the likelihood that victims will click the link and potentially submit credentials or download malware from the attacker's site.
The vulnerability affects applications accessible over the network and does not require authentication to exploit, making it relatively easy for attackers to weaponize.
Detection Methods for CVE-2026-34847
Indicators of Compromise
- HTTP request logs showing access to the /enter endpoint with suspicious redirect parameter values containing external domains
- Web application firewall (WAF) alerts for URL redirection patterns to untrusted destinations
- User reports of being redirected to unexpected or phishing websites after clicking Hoppscotch-related links
Detection Strategies
- Configure web application firewalls to detect and block requests containing external URLs in redirect parameters
- Implement URL monitoring to identify outbound redirects to non-allowlisted domains
- Review web server access logs for unusual patterns in the redirect query parameter, particularly URLs pointing to external domains
Monitoring Recommendations
- Enable detailed logging for the /enter endpoint to capture full URL parameters
- Set up alerts for redirect parameter values that don't match expected internal URL patterns
- Monitor for increased traffic to the /enter page that may indicate active exploitation attempts
How to Mitigate CVE-2026-34847
Immediate Actions Required
- Upgrade Hoppscotch to version 2026.3.0 or later, which contains the security patch for this vulnerability
- Review web server logs for any evidence of exploitation attempts targeting the /enter page
- Communicate with users about the potential for phishing attempts using crafted Hoppscotch URLs
Patch Information
Hoppscotch has addressed this vulnerability in version 2026.3.0. Organizations should upgrade to this version or later as soon as possible. The patch implements proper validation of the redirect parameter to prevent redirection to untrusted external sites.
For detailed patch information, refer to the GitHub Release Notes 2026.3.0 and the GitHub Security Advisory GHSA-27pm-c9ch-746q.
Workarounds
- Implement web application firewall rules to block requests to the /enter endpoint containing external URLs in the redirect parameter
- Use network-level filtering to restrict outbound redirects from the Hoppscotch application
- If upgrading is not immediately possible, consider temporarily disabling or restricting access to the /enter page until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
