CVE-2026-13524
MEDIUMCherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization
Title source: cnaDescription
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-374532 | CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization
https://vuldb.com/vuln/374532
Signature, Permissions Required signature
permissions-required
VDB-374532 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/374532/cti
Third Party Advisory third-party-advisory
CVE-2026-13524 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-13524
Third Party Advisory third-party-advisory
Submit #840175 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Login CSRF
https://vuldb.com/submit/840175
Exploit exploit
issue-tracking
https://github.com/CherryHQ/cherry-studio/issues/15372
Patch issue-tracking
patch
https://github.com/CherryHQ/cherry-studio/pull/15388
Product product
https://github.com/CherryHQ/cherry-studio/
Scores
CVSS v3
5.6
EPSS
0.0026
EPSS Percentile
17.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-266
CWE-285
Status
published
Products (7)
CherryHQ/cherry-studio
1.9.0
CherryHQ/cherry-studio
1.9.1
CherryHQ/cherry-studio
1.9.2
CherryHQ/cherry-studio
1.9.3
CherryHQ/cherry-studio
1.9.4
CherryHQ/cherry-studio
1.9.5
CherryHQ/cherry-studio
1.9.6
Published
Jun 29, 2026
Tracked Since
Jun 29, 2026