CVE-2026-13534

Name of the Vulnerable Software and Affected Versions CherryHQ cherry-studio versions prior to 1.9.8

Description An authorization bypass exists in the CherryIN Preload API component. A remote attacker can bypass authorization by manipulating the state argument within the sha256() function located in the src/main/services/memory/MemoryService.ts file. The attack complexity is high and exploitability is considered difficult.

Recommendations Update to a version newer than 1.9.7. As a temporary mitigation, restrict access to the sha256() function in the src/main/services/memory/MemoryService.ts file.