CVE-2026-42073

Name of the Vulnerable Software and Affected Versions OpenClaude versions prior to 0.5.1

Description The MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent Cross-Site Request Forgery (CSRF) attacks, the server validates a state parameter against an internally stored value. A logic flaw in the order of conditionals allows an attacker to bypass this check by providing an error query parameter in the request. When the error parameter is present, the CSRF validation is skipped, and the server executes a cleanup function that shuts down the local server and terminates the user's active authentication session, resulting in a Denial of Service (DoS).

Recommendations Update to version 0.5.1.