CVE-2026-13524
CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization
CVSS Score
5.6
EPSS Score
0.0%
EPSS Percentile
0th
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
| CWE | CWE-285 CWE-266 |
| Vendor | cherryhq |
| Product | cherry-studio |
| Published | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for cherryhq cherry-studio
Be the first to know when new medium vulnerabilities affecting cherryhq cherry-studio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
CherryHQ / cherry-studio
1.9.0 1.9.1 1.9.2 1.9.3 1.9.4 1.9.5 1.9.6
References
vuldb.com: https://vuldb.com/vuln/374532 vuldb.com: https://vuldb.com/vuln/374532/cti vuldb.com: https://vuldb.com/cve/CVE-2026-13524 vuldb.com: https://vuldb.com/submit/840175 github.com: https://github.com/CherryHQ/cherry-studio/issues/15372 github.com: https://github.com/CherryHQ/cherry-studio/pull/15388 github.com: https://github.com/CherryHQ/cherry-studio/
Credits
๐ dem0000 (VulDB User) VulDB CNA Team