hoppscotch
Moderate fix1 remedy
cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2026.2.1
Hoppscotch Open Redirect Vulnerability Leading to Token Exfiltration and Account Takeover
Vulnerability
Patched
An open redirect vulnerability has been identified in Hoppscotch, an open-source API development ecosystem, prior to version 2026.3.0. This vulnerability allows for token exfiltration, with the potential for an attacker to use these tokens to sign in as the victim and take over their account.
Impact
Exploitation of this vulnerability allows for account takeover by exfiltrating access and refresh tokens, which can be used to authenticate as the victim.
Reproduction
To reproduce this vulnerability, log into a self-hosted instance of Hoppscotch. Set up a listener for incoming requests, which will capture the access and refresh tokens. Then, navigate to the device-login endpoint, providing a redirect_uri that points to the listener. After clicking 'Proceed', the listener will receive the tokens, demonstrating the successful exploitation of the open redirect.
Remediation
Users can update to Hoppscotch version 2026.3.0, which patches the open redirect vulnerability and the associated token theft.
Added: Apr 2, 2026, 9:18 PM
Updated: Apr 2, 2026, 9:18 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
5.2exploitability
5.2remediation
7.7relevance
5.1threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.