PT-2026-53194 · Cherryhq · Cherry-Studio
Dem0000
·
Published
2026-06-29
·
Updated
2026-06-29
·
CVE-2026-13524
CVSS v3.1
5.6
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
CherryHQ cherry-studio versions prior to 1.9.7
Description
Improper authorization exists in the MCP OAuth Local Callback Server component within the
src/main/services/mcp/oauth/callback.ts file. A remote attacker can manipulate the code argument to bypass authorization. This attack is characterized by high complexity and difficult exploitability.Recommendations
Update to a version newer than 1.9.6.
As a temporary mitigation, restrict access to the MCP OAuth Local Callback Server component.
Exploit
Fix
Incorrect Privilege Assignment
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cherry-Studio