CVE-2026-13534
CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that "[m]emory is planned to be removed in v2 version."
| CWE | CWE-639 CWE-285 |
| Vendor | cherryhq |
| Product | cherry-studio |
| Published | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for cherryhq cherry-studio
Be the first to know when new medium vulnerabilities affecting cherryhq cherry-studio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
CherryHQ / cherry-studio
1.9.0 1.9.1 1.9.2 1.9.3 1.9.4 1.9.5 1.9.6 1.9.7
References
vuldb.com: https://vuldb.com/vuln/374542 vuldb.com: https://vuldb.com/vuln/374542/cti vuldb.com: https://vuldb.com/cve/CVE-2026-13534 vuldb.com: https://vuldb.com/submit/841998 github.com: https://github.com/CherryHQ/cherry-studio/issues/15411 github.com: https://github.com/CherryHQ/cherry-studio/pull/15413 github.com: https://github.com/CherryHQ/cherry-studio/
Credits
๐ dem0000 (VulDB User) VulDB CNA Team