CVE-2026-34931

CriticalPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0002 3.7th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34931 is a critical-severity Open Redirect (CWE-601) vulnerability in Hoppscotch Hoppscotch. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Application Access Token (T1528) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the open redirect vulnerability by requiring timely identification, reporting, and patching of the flaw as fixed in Hoppscotch version 2026.3.0.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the open redirect (CWE-601) by enforcing validation of redirect URL inputs to block unauthorized external redirects and token exfiltration.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables detection of the critical open redirect vulnerability in Hoppscotch through regular vulnerability scanning, facilitating prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

Open redirect enables token exfiltration via malicious phishing links (T1566.002) to steal application access tokens (T1528) for account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue…

has been patched in version 2026.3.0.

Deeper analysisAI

Hoppscotch, an open source API development ecosystem, contains an open redirect vulnerability (CWE-601) in versions prior to 2026.3.0 that enables token exfiltration. Assigned CVE-2026-34931 and published on 2026-04-02, this flaw carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects across a changed scope.

A remote attacker with no privileges can exploit this vulnerability over the network with low complexity by tricking a user into interacting with a malicious link (e.g., via phishing). Successful exploitation allows the attacker to redirect the victim to a controlled site, exfiltrate authentication tokens, and use them to sign in as the victim, resulting in full account takeover.

The issue has been addressed in hoppscotch version 2026.3.0, as detailed in the project's release notes and security advisory (GHSA-7fg7-wx5q-6m3v). Security practitioners should urge users to upgrade immediately and review access to hoppscotch instances for exposed tokens.