CVE-2026-13524
MediumCVSS 5.6Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
A vulnerability was found in CherryHQ cherry-studio up to version 1.9.6 in the MCP OAuth Local Callback Server component. Manipulation of the 'code' argument in callback.ts leads to improper authorization. The attack can be initiated remotely but is considered difficult to exploit.
Risk Assessment
The organization faces the risk of unauthorized remote access to the system, potentially leading to data confidentiality and integrity breaches.
Recommendation
It is recommended to apply the patch as soon as it becomes available and monitor the project repository for the fix. Until the official patch is released, restrict access to the MCP OAuth component.
Original NVD description (English source)
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

